net: validate custom lookup() output

This commit adds validation to the IP address returned by the
net module's custom DNS lookup() function.

PR-URL: #34813
Fixes: #34812
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Yongsheng Zhang <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Ricky Zhou <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>

Author: cjihrig

lib/net.js

@@ -1051,6 +1051,9 @@ function lookupAndConnect(self, options) {
         // calls net.Socket.connect() on it (that's us). There are no event
         // listeners registered yet so defer the error event to the next tick.
         process.nextTick(connectErrorNT, self, err);
+      } else if (!isIP(ip)) {
+        err = new ERR_INVALID_IP_ADDRESS(ip);
+        process.nextTick(connectErrorNT, self, err);
       } else if (addressType !== 4 && addressType !== 6) {
         err = new ERR_INVALID_ADDRESS_FAMILY(addressType,
                                              options.host,

test/parallel/test-net-dns-custom-lookup.js

@@ -41,3 +41,14 @@ function check(addressType, cb) {
 check(4, function() {
   common.hasIPv6 && check(6);
 });
+
+// Verify that bad lookup() IPs are handled.
+{
+  net.connect({
+    host: 'localhost',
+    port: 80,
+    lookup(host, dnsopts, cb) {
+      cb(null, undefined, 4);
+    }
+  }).on('error', common.expectsError({ code: 'ERR_INVALID_IP_ADDRESS' }));
+}