In ngx_ptocidr(), check that the supplied prefix length is within

the allowed range.

diff --git a/src/core/ngx_inet.c b/src/core/ngx_inet.c
index cfc06e48df36e184c2835ff6cc8c9a11f320262d..a6ce9f395b2a22a9940bf34272f144c869518afd 100644 (file)
--- a/src/core/ngx_inet.c
+++ b/src/core/ngx_inet.c
@@ -407,6 +407,10 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t *cidr)
 
 #if (NGX_HAVE_INET6)
     case AF_INET6:
+        if (shift > 128) {
+            return NGX_ERROR;
+        }
+
         addr = cidr->u.in6.addr.s6_addr;
         mask = cidr->u.in6.mask.s6_addr;
         rc = NGX_OK;
@@ -428,6 +432,9 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t *cidr)
 #endif
 
     default: /* AF_INET */
+        if (shift > 32) {
+            return NGX_ERROR;
+        }
 
         if (shift) {
             cidr->u.in.mask = htonl((ngx_uint_t) (0 - (1 << (32 - shift))));