Adventures in Validating IPv4 Addresses

Published: 2023-10-26. Last Updated: 2023-10-26 17:14:20 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

It should be pretty easy to validate an IP address. IPv4 addresses are 32-bit unsigned integers, and IPv6 addresses are 128-bit unsigned integers. Things get "interesting" when developers attempt to validate IP addresses as a string. There have been a few interesting vulnerabilities around this issue (CVE-2021-28918, CVE-2021-29921, CVE-2021-29418).

So, let's take a look at how IPv4 addresses may be represented:

  • Dotted Decimal. This is by far the most common representation: 192.0.2.1
  • Dotted Octal. A leading zero indicates that the byte value is octal. Try "ping 010.010.010.010" and you may see it reaching out to 8.8.8.8
  • Hexadecimal: 0xa.0xa.0xa.0xa becomes "10.10.10.10"
  • Decimal integer: just use a function like inet_aton to convert the IP into a decimal number. There are some big/little ending issues that Didier and Jessy recently talked about. "8.8.8.8" becomes 134744072. 
  • Hexadecimal integers 0x08080808 work as well. 
  • Hexadecimal: 0xa.0xa.0xa.0xa becomes "10.10.10.10"
  • Mixed Octal/Decimal/hex. For example, 010.8.0x8.8 is also '8.8.8.8'

This all becomes important if you are attempting to validate if the IP address is syntactically valid and if you are also interested in restricting the IP address to a specific subnet. And the most common mistake is to treat IPv4 addresses as a string.

In my opinion, there is only one "right" way to validate IPv4 addresses:

  1. Convert the address string to an unsigned long integer using the socket libraries inet_aton() function.
  2. Now, use bitmasking to check if the address is in a specific subnet (or not).
  3. Finally, convert the address back from an unsigned long integer to a string using inet_ntoa (if needed)

Anything else is likely going to get you into trouble. The socket library is handy because it is usually used to establish connections. By using inet_aton, your chances increase significantly so that your input validation interprets the IP address the same way it will be when a connection is established using this IP address.

Any other suggestions?

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
1 comment(s)
ISC Stormcast For Thursday, October 26th, 2023 https://isc.sans.edu/podcastdetail/8718

Comments


Diary Archives