You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the latest 2.0.2 there was a rewrite of the IP validation. Effectively, in version 2.0.2 the sanity check that IP components are < 0xFFFFFFFF has been removed, because >>> 0 always converts them to a 32-bit unsigned long.
This can cause trouble, for example this "IP" actually checks out as belonging to the localhost block: "4294967423.0.0.1" (because mod 2^32 it is equal to 127.0.0.1).
Although it's obviously an invalid IP, this has the potential to create shenanigans, because other libraries probably are not making the exact same mistake.
Another input validation issue is the use of the ParseInt function for the mask parameter. For example two possible inputs that generate a nonsensical state:
(a) Try weird = new Netmask('1.2.3.4', -1) , and then the state of the netmask object includes a bitmask <0, and size > 2^32 among other oddities. The next() operation has an uncaught error in this case.
(b) Try weird2 = new Netmask('1.2.3.4', 0.1). The constructor succeeds, but the state is similarly funky.
Best regards,
Alon Navon,
Seal Security
The text was updated successfully, but these errors were encountered:
In the latest 2.0.2 there was a rewrite of the IP validation. Effectively, in version 2.0.2 the sanity check that IP components are
< 0xFFFFFFFFhas been removed, because>>> 0always converts them to a 32-bit unsigned long.This can cause trouble, for example this "IP" actually checks out as belonging to the localhost block: "4294967423.0.0.1" (because mod 2^32 it is equal to 127.0.0.1).
Although it's obviously an invalid IP, this has the potential to create shenanigans, because other libraries probably are not making the exact same mistake.
Another input validation issue is the use of the ParseInt function for the mask parameter. For example two possible inputs that generate a nonsensical state:
(a) Try
weird = new Netmask('1.2.3.4', -1), and then the state of the netmask object includes a bitmask <0, and size > 2^32 among other oddities. The next() operation has an uncaught error in this case.(b) Try
weird2 = new Netmask('1.2.3.4', 0.1). The constructor succeeds, but the state is similarly funky.Best regards,
Alon Navon,
Seal Security
The text was updated successfully, but these errors were encountered: