From: Victor Julien <vjulien@oisf.net>
Date: Tue, 1 Mar 2022 11:41:04 +0000 (+0100)
Subject: detect/address: validate netmasks
X-Git-Tag: suricata-6.0.5~90
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f1644594fdc410934f9f28b6cf80a93e100e806;p=thirdparty%2Fsuricata.git

detect/address: validate netmasks

Only accept netmask in dotted quad notation if they can be turned
into a CIDR.

According to rfc 4632, CIDR (compat) netmasks are all that should be
used.

Bug: #5168.
(cherry picked from commit 259bd8aa92c7bc8ca8c74b3f429f321935493828)
---

diff --git a/src/detect-engine-address.c b/src/detect-engine-address.c
index 3b47b4325a..c529ef66b9 100644
--- a/src/detect-engine-address.c
+++ b/src/detect-engine-address.c
@@ -452,6 +452,16 @@ static int DetectAddressParseString(DetectAddress *dd, const char *str)
                     goto error;
 
                 netmask = in.s_addr;
+
+                /* validate netmask */
+                int cidr = CIDRFromMask(netmask);
+                if (cidr < 0) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE,
+                            "netmask \"%s\" is not usable. Only netmasks that are compatible with "
+                            "CIDR notation are supported. See #5168.",
+                            mask);
+                    goto error;
+                }
             }
 
             r = inet_pton(AF_INET, ip, &in);