From bffbbeb73f6b4b9a183c1c54b7db1d8c3b1fc1bb Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@nginx.com>
Date: Tue, 3 Apr 2012 08:22:00 +0000
Subject: [PATCH] In ngx_ptocidr(), check that the supplied prefix length is
 within the allowed range.

---
 src/core/ngx_inet.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/core/ngx_inet.c b/src/core/ngx_inet.c
index cfc06e48d..a6ce9f395 100644
--- a/src/core/ngx_inet.c
+++ b/src/core/ngx_inet.c
@@ -407,6 +407,10 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t *cidr)
 
 #if (NGX_HAVE_INET6)
     case AF_INET6:
+        if (shift > 128) {
+            return NGX_ERROR;
+        }
+
         addr = cidr->u.in6.addr.s6_addr;
         mask = cidr->u.in6.mask.s6_addr;
         rc = NGX_OK;
@@ -428,6 +432,9 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t *cidr)
 #endif
 
     default: /* AF_INET */
+        if (shift > 32) {
+            return NGX_ERROR;
+        }
 
         if (shift) {
             cidr->u.in.mask = htonl((ngx_uint_t) (0 - (1 << (32 - shift))));