From f4c16bc47fc24a96b63105556b62d61c1ba7d799 Mon Sep 17 00:00:00 2001
From: Michael Rash <mbr@cipherdyne.org>
Date: Sat, 25 Aug 2012 23:08:55 -0400
Subject: [PATCH] [server] Stronger IP validation based on a bug found by
 Fernando Arnaboldi from IOActive

This commit fixes a condition in which the server did not properly validate
allow IP addresses from malicious authenticated clients.  This has been fixed
with stronger allow IP validation.
---

--- a/lib/fko_message.c
+++ b/lib/fko_message.c
@@ -261,23 +261,31 @@
 got_allow_ip(const char *msg)
 {
     const char *ndx     = msg;
-    int         dot_cnt = 0;
+    int         dot_ctr = 0, char_ctr = 0;
     int         res     = FKO_SUCCESS;
 
     while(*ndx != ',' && *ndx != '\0')
     {
+        char_ctr++;
+        if(char_ctr >= MAX_IPV4_STR_LEN)
+        {
+            res = FKO_ERROR_INVALID_ALLOW_IP;
+            break;
+        }
         if(*ndx == '.')
-            dot_cnt++;
+            dot_ctr++;
         else if(isdigit(*ndx) == 0)
         {
             res = FKO_ERROR_INVALID_ALLOW_IP;
             break;
         }
-
         ndx++;
     }
 
-    if(dot_cnt != 3)
+    if (char_ctr < MIN_IPV4_STR_LEN)
+        res = FKO_ERROR_INVALID_ALLOW_IP;
+
+    if(dot_ctr != 3)
         res = FKO_ERROR_INVALID_ALLOW_IP;
 
     return(res);
--- a/lib/fko_limits.h
+++ b/lib/fko_limits.h
@@ -43,6 +43,9 @@
 #define MIN_SPA_ENCODED_MSG_SIZE     36 /* Somewhat arbitrary */
 #define MIN_GNUPG_MSG_SIZE          400
 
+#define MAX_IPV4_STR_LEN             16
+#define MIN_IPV4_STR_LEN              7
+
 /* Misc.
 */
 #define FKO_ENCODE_TMP_BUF_SIZE    1024