Ensure --addr-pool mask accepts numbers only (#4619)

* Ensure --addr-pool mask accepts numbers only
* Add mask validation
* Replace mask assignment position
* Use a thread-safe function and free allocated memory

Co-authored-by: liang.he <[email protected]>

Author: linear0211

core/iwasm/common/wasm_runtime_common.c

@@ -3898,7 +3898,8 @@ wasm_runtime_init_wasi(WASMModuleInstanceCommon *module_inst,
 
     /* addr_pool(textual) -> apool */
     for (i = 0; i < addr_pool_size; i++) {
-        char *cp, *address, *mask;
+        char *cp, *address, *mask, *nextptr, *endptr;
+        long mask_val;
         bool ret = false;
 
         cp = bh_strdup(addr_pool[i]);
@@ -3908,18 +3909,40 @@ wasm_runtime_init_wasi(WASMModuleInstanceCommon *module_inst,
             goto fail;
         }
 
-        address = strtok(cp, "/");
-        mask = strtok(NULL, "/");
+#ifdef BH_PLATFORM_WINDOWS
+        address = strtok_s(cp, "/", &nextptr);
+        mask = strtok_s(NULL, "/", &nextptr);
+#else
+        address = strtok_r(cp, "/", &nextptr);
+        mask = strtok_r(NULL, "/", &nextptr);
+#endif
 
         if (!mask) {
             snprintf(error_buf, error_buf_size,
                      "Invalid address pool entry: %s, must be in the format of "
                      "ADDRESS/MASK",
                      addr_pool[i]);
+            wasm_runtime_free(cp);
+            goto fail;
+        }
+
+        errno = 0;
+        mask_val = strtol(mask, &endptr, 10);
+
+        if (mask == endptr || *endptr != '\0') {
+            snprintf(error_buf, error_buf_size,
+                     "Invalid address pool entry: mask must be a number");
+            wasm_runtime_free(cp);
+            goto fail;
+        }
+        if (errno != 0 || mask_val < 0) {
+            snprintf(error_buf, error_buf_size,
+                     "Init wasi environment failed: invalid mask number");
+            wasm_runtime_free(cp);
             goto fail;
         }
 
-        ret = addr_pool_insert(apool, address, (uint8)atoi(mask));
+        ret = addr_pool_insert(apool, address, (uint8)mask_val);
         wasm_runtime_free(cp);
         if (!ret) {
             set_error_buf(error_buf, error_buf_size,

core/iwasm/libraries/libc-wasi/sandboxed-system-primitives/src/posix.c

@@ -3105,7 +3105,6 @@ addr_pool_insert(struct addr_pool *addr_pool, const char *addr, uint8 mask)
     }
 
     next->next = NULL;
-    next->mask = mask;
 
     if (os_socket_inet_network(true, addr, &target) != BHT_OK) {
         // If parsing IPv4 fails, try IPv6
@@ -3116,10 +3115,20 @@ addr_pool_insert(struct addr_pool *addr_pool, const char *addr, uint8 mask)
         next->type = IPv6;
         bh_memcpy_s(next->addr.ip6, sizeof(next->addr.ip6), target.ipv6,
                     sizeof(target.ipv6));
+        if (mask > 128) {
+            wasm_runtime_free(next);
+            return false;
+        }
+        next->mask = mask;
     }
     else {
         next->type = IPv4;
         next->addr.ip4 = target.ipv4;
+        if (mask > 32) {
+            wasm_runtime_free(next);
+            return false;
+        }
+        next->mask = mask;
     }
 
     /* attach with */