From: Victor Julien <vjulien@oisf.net>
Date: Tue, 1 Mar 2022 11:42:49 +0000 (+0100)
Subject: detect/iponly: validate netmask
X-Git-Tag: suricata-5.0.9~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d2b94546662d222eafd425f5de47c364127ded8;p=thirdparty%2Fsuricata.git

detect/iponly: validate netmask

Only accept netmask in dotted quad notation if they can be turned
into a CIDR.

According to rfc 4632, CIDR (compat) netmasks are all that should be
used.

Bug: #5168.
(cherry picked from commit 79b7b7a0ddfdcd7664ca328a41d24fbca75e3e54)
---

diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c
index 50198acdce..0b89cca3d4 100644
--- a/src/detect-engine-iponly.c
+++ b/src/detect-engine-iponly.c
@@ -227,16 +227,11 @@ static int IPOnlyCIDRItemParseSingle(IPOnlyCIDRItem **pdd, const char *str)
                 if (r <= 0)
                     goto error;
 
-                netmask = in.s_addr;
-                if (netmask != 0) {
-                    uint32_t m = netmask;
-                    /* Extract cidr netmask */
-                    while ((0x01 & m) == 0) {
-                        dd->netmask++;
-                        m = m >> 1;
-                    }
-                    dd->netmask = 32 - dd->netmask;
-                }
+                int cidr = CIDRFromMask(in.s_addr);
+                if (cidr < 0)
+                    goto error;
+
+                dd->netmask = (uint8_t)cidr;
             }
 
             r = inet_pton(AF_INET, ip, &in);