Reject unsupported sockaddr families

Author: oschwald

Changes.md

@@ -1,3 +1,10 @@
+## next release
+
+- Fixed an out-of-bounds read in `MMDB_lookup_sockaddr()` when callers passed a
+  `sockaddr` with an unsupported address family. The function now rejects any
+  family other than `AF_INET` and `AF_INET6` with
+  `MMDB_INVALID_NETWORK_ADDRESS_ERROR`.
+
 ## 1.13.3 - 2026-03-05
 
 - Fixed validation of empty maps and arrays at the end of the metadata section.

doc/libmaxminddb.md

@@ -393,6 +393,8 @@ status codes are:
   array index larger than an array or smaller than the minimum offset from the
   end of an array. It can also happen when the path expects to find a map or
   array where none exist.
+- `MMDB_INVALID_NETWORK_ADDRESS_ERROR` - `MMDB_lookup_sockaddr()` was given a
+  `sockaddr` whose family is neither `AF_INET` nor `AF_INET6`.
 
 All status codes should be treated as `int` values.
 
@@ -518,7 +520,8 @@ MMDB_lookup_result_s MMDB_lookup_sockaddr(
 ```
 
 This function looks up an IP address that has already been resolved by
-`getaddrinfo()`.
+`getaddrinfo()`. The `sockaddr` passed to this function must be an `AF_INET` or
+`AF_INET6` address.
 
 Other than not calling `getaddrinfo()` itself, this function is identical to the
 `MMDB_lookup_string()` function.

include/maxminddb.h

@@ -86,6 +86,7 @@ extern "C" {
     #define MMDB_LOOKUP_PATH_DOES_NOT_MATCH_DATA_ERROR (9)
     #define MMDB_INVALID_NODE_NUMBER_ERROR (10)
     #define MMDB_IPV6_LOOKUP_IN_IPV4_DATABASE_ERROR (11)
+    #define MMDB_INVALID_NETWORK_ADDRESS_ERROR (12)
 
     #if !(MMDB_UINT128_IS_BYTE_ARRAY)
         #if MMDB_UINT128_USING_MODE

src/maxminddb.c

@@ -926,23 +926,33 @@ MMDB_lookup_result_s MMDB_lookup_sockaddr(const MMDB_s *const mmdb,
 
     uint8_t mapped_address[16];
     uint8_t const *address;
+    // Reject families other than AF_INET/AF_INET6 before casting to
+    // sockaddr_in/sockaddr_in6, which would otherwise read past the
+    // truncated struct sockaddr the caller passed in.
     if (mmdb->metadata.ip_version == 4) {
         if (sockaddr->sa_family == AF_INET6) {
             *mmdb_error = MMDB_IPV6_LOOKUP_IN_IPV4_DATABASE_ERROR;
             return result;
         }
+        if (sockaddr->sa_family != AF_INET) {
+            *mmdb_error = MMDB_INVALID_NETWORK_ADDRESS_ERROR;
+            return result;
+        }
         address = (uint8_t const *)&((struct sockaddr_in const *)sockaddr)
                       ->sin_addr.s_addr;
     } else {
         if (sockaddr->sa_family == AF_INET6) {
             address = (uint8_t const *)&((struct sockaddr_in6 const *)sockaddr)
                           ->sin6_addr.s6_addr;
-        } else {
+        } else if (sockaddr->sa_family == AF_INET) {
             address = mapped_address;
             memset(mapped_address, 0, 12);
             memcpy(mapped_address + 12,
                    &((struct sockaddr_in const *)sockaddr)->sin_addr.s_addr,
                    4);
+        } else {
+            *mmdb_error = MMDB_INVALID_NETWORK_ADDRESS_ERROR;
+            return result;
         }
     }
 
@@ -2254,6 +2264,9 @@ const char *MMDB_strerror(int error_code) {
         case MMDB_IPV6_LOOKUP_IN_IPV4_DATABASE_ERROR:
             return "You attempted to look up an IPv6 address in an IPv4-only "
                    "database";
+        case MMDB_INVALID_NETWORK_ADDRESS_ERROR:
+            return "The sockaddr family is unsupported; only AF_INET and "
+                   "AF_INET6 are accepted";
         default:
             return "Unknown error code";
     }

t/CMakeLists.txt

@@ -32,6 +32,7 @@ if(UNIX)  # or if (NOT WIN32)
     bad_epoch_t
     bad_indent_t
     empty_container_metadata_t
+    invalid_sockaddr_t
     max_depth_t
     threads_t
   )

t/Makefile.am

@@ -21,7 +21,7 @@ check_PROGRAMS = \
 	basic_lookup_t data_entry_list_t \
 	data-pool-t data_types_t double_close_t dump_t empty_container_metadata_t \
 	gai_error_t get_value_t \
-	get_value_pointer_bug_t \
+	get_value_pointer_bug_t invalid_sockaddr_t \
 	ipv4_start_cache_t ipv6_lookup_in_ipv4_t max_depth_t metadata_t \
 	metadata_pointers_t no_map_get_value_t overflow_bounds_t read_node_t \
 	threads_t version_t

t/invalid_sockaddr_t.c

@@ -0,0 +1,51 @@
+#include "maxminddb_test_helper.h"
+
+static void test_invalid_sockaddr_family(const char *filename,
+                                         sa_family_t family,
+                                         const char *open_msg,
+                                         const char *family_msg) {
+    char *db_file = test_database_path(filename);
+    MMDB_s *mmdb = open_ok(db_file, MMDB_MODE_MMAP, open_msg);
+    free(db_file);
+
+    if (!mmdb) {
+        return;
+    }
+
+    struct sockaddr addr = {.sa_family = family};
+    int mmdb_error = MMDB_SUCCESS;
+    MMDB_lookup_result_s result =
+        MMDB_lookup_sockaddr(mmdb, &addr, &mmdb_error);
+
+    ok(!result.found_entry, "%s: no entry returned", family_msg);
+    cmp_ok(result.netmask, "==", 0, "%s: netmask left at zero", family_msg);
+    cmp_ok(mmdb_error,
+           "==",
+           MMDB_INVALID_NETWORK_ADDRESS_ERROR,
+           "%s: MMDB_lookup_sockaddr rejects unsupported family",
+           family_msg);
+
+    MMDB_close(mmdb);
+    free(mmdb);
+}
+
+int main(void) {
+    plan(NO_PLAN);
+    test_invalid_sockaddr_family("MaxMind-DB-test-ipv4-24.mmdb",
+                                 AF_UNIX,
+                                 "opened IPv4 test database (AF_UNIX)",
+                                 "AF_UNIX against IPv4 db");
+    test_invalid_sockaddr_family("MaxMind-DB-test-ipv4-24.mmdb",
+                                 AF_UNSPEC,
+                                 "opened IPv4 test database (AF_UNSPEC)",
+                                 "AF_UNSPEC against IPv4 db");
+    test_invalid_sockaddr_family("MaxMind-DB-test-ipv6-24.mmdb",
+                                 AF_UNIX,
+                                 "opened IPv6 test database (AF_UNIX)",
+                                 "AF_UNIX against IPv6 db");
+    test_invalid_sockaddr_family("MaxMind-DB-test-ipv6-24.mmdb",
+                                 AF_UNSPEC,
+                                 "opened IPv6 test database (AF_UNSPEC)",
+                                 "AF_UNSPEC against IPv6 db");
+    done_testing();
+}