SEC-2576: ArrayIndexOutOfBoundsException in IpAddressMatcher

[spring-projects-issues]

Andreas Woitzick (Migrated from SEC-2576) said:

When dealing with performance issues in our software we looked a little bit deeper in the sources of IpAddressMatcher class. We figured out that the matches-methods will throw an ArrayIndexOutOfBoundsException when the netmask length given at construction time is too large. "Too large" means the netmask byte array is longer the byte array obtained from the ip address.

See attached test class (ArrayIndexOutOfBoundsExceptionTest).

We think to fix these Exception is quite easy, if the byte array for the netmask is determined at construction time and some basic checks are added. (We expect this solution will also perform better if the matches method of an already constructed IpAddressMatcher is called more than once.)

Attached IpAddressMatcher class contains these changes.

For informational purposes we submit the attached IpAddressMatcher2 class with some more performance optimizations (... and API changes). These changes are only seen useful for our special needs.

Best regards
Andreas Woitzick

[jzheaux]

Agreed that this is an issue. To address it, I think the code should validate the constructor input. For example, it should assert that the requiredAddress byte length times 8 is greater than or equal to nMaskBits.

The code should do the same for remoteAddress.

[clementkng]

Hi @jzheaux, can I try taking this issue?

[jzheaux]

Yes, of course, @clementkng! I'm looking forward to your PR.