Moderate severityNVD Advisory· Published Nov 11, 2021· Updated Sep 16, 2024
Misconfigured IP address field in ROA leads to OctoRPKI crash
CVE-2021-3911
Description
If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cloudflare/cfrpkiGo | < 1.4.0 | 1.4.0 |
Affected products
1- Range: unspecified
Patches
12882307febd6VULN-8286: Prevent oob read when validating IP ranges
2 files changed · +17 −4
validator/lib/cert.go+7 −1 modified@@ -62,7 +62,10 @@ func (ipn *IPNet) GetAfi() uint8 { } func (ipn *IPNet) GetRange() (net.IP, net.IP, bool) { - min, max := GetRangeIP(ipn.IPNet) + err, min, max := GetRangeIP(ipn.IPNet) + if err != nil { + return nil, nil, false + } return min, max, false } @@ -474,6 +477,9 @@ func ValidateIPCertificateList(list []IPCertificateInformation, parent *RPKICert valids = append(valids, ip) continue } + if min == nil && max == nil { + invalids = append(invalids, ip) + } valid, checkParent := parent.IsIPRangeInCertificate(min, max) if valid { valids = append(valids, ip)
validator/lib/roa.go+10 −3 modified@@ -133,17 +133,21 @@ func EncodeROAEntries(asn int, entries []*ROAEntry) (*ROA, error) { return roa, nil } -func GetRangeIP(ipnet *net.IPNet) (net.IP, net.IP) { +func GetRangeIP(ipnet *net.IPNet) (error, net.IP, net.IP) { ip := ipnet.IP mask := ipnet.Mask beginIP := make([]byte, len(ip)) endIP := make([]byte, len(ip)) for i := range []byte(ip) { + // GHSA-w6ww-fmfx-2x22: Prevent oob read + if i >= len(mask) { + return errors.New("Invalid IP address mask"), nil, nil + } beginIP[i] = ip[i] & mask[i] endIP[i] = ip[i] | ^mask[i] } - return net.IP(beginIP), net.IP(endIP) + return nil, net.IP(beginIP), net.IP(endIP) } // https://tools.ietf.org/html/rfc6480#section-2.3 @@ -191,7 +195,10 @@ func ValidateIPRoaCertificateList(entries []*ROAEntry, cert *RPKICertificate) ([ invalids := make([]*ROAEntry, 0) checkParents := make([]*ROAEntry, 0) for _, entry := range entries { - min, max := GetRangeIP(entry.IPNet) + err, min, max := GetRangeIP(entry.IPNet) + if err != nil { + invalids = append(invalids, entry) + } valid, checkParent := cert.IsIPRangeInCertificate(min, max) if valid { valids = append(valids, entry)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-w6ww-fmfx-2x22ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3911ghsaADVISORY
- www.debian.org/security/2022/dsa-5041ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/cloudflare/cfrpki/commit/2882307febd66801de97b2a2ce4d93fe58132005ghsaWEB
- github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22ghsax_refsource_MISCWEB
- pkg.go.dev/vuln/GO-2022-0252ghsaWEB
News mentions
0No linked articles in our index yet.