Fix ipv4_from_asc behavior on invalid Ip addresses

sscanf() call in ipv4_from_asc does not check that
the string is terminated immediately after the last digit.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16201)

diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index 255db422bdf5301cc08dd7b5bd251df6ec2332cf..77d54213494b7b429e5a56dfd632ecc939f00966 100644 (file)
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -1096,13 +1096,17 @@ int ossl_a2i_ipadd(unsigned char *ipout, const char *ipasc)
 
 static int ipv4_from_asc(unsigned char *v4, const char *in)
 {
-    int a0, a1, a2, a3;
+    const char *p;
+    int a0, a1, a2, a3, n;
 
-    if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
+    if (sscanf(in, "%d.%d.%d.%d%n", &a0, &a1, &a2, &a3, &n) != 4)
         return 0;
     if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
         || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
         return 0;
+    p = in + n;
+    if (!(*p == '\0' || ossl_isspace(*p)))
+        return 0;
     v4[0] = a0;
     v4[1] = a1;
     v4[2] = a2;