From: Victor Julien <victor@inliniac.net>
Date: Sat, 13 Feb 2021 16:10:15 +0000 (+0100)
Subject: host: improve compare logic
X-Git-Tag: suricata-6.0.2~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F5860%2Fhead;p=thirdparty%2Fsuricata.git

host: improve compare logic

The old compare macro would compare all bytes of an address, even
when for IPv4 addresses the additional bytes were not in use. This
made the logic vulnerable to mistakes like in issue #4280.

(cherry picked from commit 6bfc5afa2301cc416e2fced23ec1accdfdea0daf)
---

diff --git a/src/host.c b/src/host.c
index 671faf1b11..5480d1b450 100644
--- a/src/host.c
+++ b/src/host.c
@@ -402,14 +402,17 @@ static inline uint32_t HostGetKey(Address *a)
     return key;
 }
 
-/* Since two or more hosts can have the same hash key, we need to compare
- * the flow with the current flow key. */
-#define CMP_HOST(h,a) \
-    (CMP_ADDR(&(h)->a, (a)))
-
 static inline int HostCompare(Host *h, Address *a)
 {
-    return CMP_HOST(h, a);
+    if (h->a.family == a->family) {
+        switch (a->family) {
+            case AF_INET:
+                return (h->a.addr_data32[0] == a->addr_data32[0]);
+            case AF_INET6:
+                return CMP_ADDR(&h->a, a);
+        }
+    }
+    return 0;
 }
 
 /**