Add input validation for NetworksWithin API

Add validation for invalid prefixes in NetworksWithin to prevent
unexpected behavior with malformed input. Invalid prefixes now return
proper errors instead of potentially causing undefined behavior.

Includes test coverage demonstrating proper error handling patterns
for invalid prefix scenarios.

Author: oschwald

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changes
 
+## 2.0.0-beta.9
+
+- **SECURITY**: Fixed integer overflow vulnerability in search tree size
+  calculation that could potentially allow malformed databases to trigger
+  security issues.
+- **SECURITY**: Enhanced bounds checking in tree traversal functions to return
+  proper errors instead of silent failures when encountering malformed
+  databases.
+- Added validation for invalid prefixes in `NetworksWithin` to prevent
+  unexpected behavior with malformed input.
+
 ## 2.0.0-beta.8 - 2025-07-15
 
 - Fixed "no next offset available" error that occurred when using custom

reader_test.go

@@ -1321,3 +1321,26 @@ func TestIntegerOverflowProtection(t *testing.T) {
 		// This tests the condition: if recordSizeQuarter > 0
 	})
 }
+
+func TestNetworksWithinInvalidPrefix(t *testing.T) {
+	reader, err := Open(testFile("GeoIP2-Country-Test.mmdb"))
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, reader.Close())
+	}()
+
+	// Test what happens when user ignores ParsePrefix error and passes invalid prefix
+	var invalidPrefix netip.Prefix // Zero value - invalid prefix
+
+	foundError := false
+	for result := range reader.NetworksWithin(invalidPrefix) {
+		if result.Err() != nil {
+			foundError = true
+			// Check that we get an appropriate error message
+			assert.Contains(t, result.Err().Error(), "invalid prefix")
+			break
+		}
+	}
+
+	assert.True(t, foundError, "Expected error when using invalid prefix")
+}

traverse.go

@@ -1,6 +1,7 @@
 package maxminddb
 
 import (
+	"errors"
 	"fmt"
 	// comment to prevent gofumpt from randomly moving iter.
 	"iter"
@@ -78,6 +79,12 @@ func (r *Reader) Networks(options ...NetworksOption) iter.Seq[Result] {
 // [IncludeNetworksWithoutData].
 func (r *Reader) NetworksWithin(prefix netip.Prefix, options ...NetworksOption) iter.Seq[Result] {
 	return func(yield func(Result) bool) {
+		if !prefix.IsValid() {
+			yield(Result{
+				err: errors.New("invalid prefix"),
+			})
+			return
+		}
 		if r.Metadata.IPVersion == 4 && prefix.Addr().Is6() {
 			yield(Result{
 				err: fmt.Errorf(
@@ -101,6 +108,13 @@ func (r *Reader) NetworksWithin(prefix netip.Prefix, options ...NetworksOption)
 			stopBit += 96
 		}
 
+		if stopBit > 128 {
+			yield(Result{
+				err: errors.New("invalid prefix: exceeds IPv6 maximum of 128 bits"),
+			})
+			return
+		}
+
 		pointer, bit, err := r.traverseTree(ip, 0, stopBit)
 		if err != nil {
 			yield(Result{
@@ -189,7 +203,15 @@ func (r *Reader) NetworksWithin(prefix netip.Prefix, options ...NetworksOption)
 				ipRight[node.bit>>3] |= 1 << (7 - (node.bit % 8))
 
 				offset := node.pointer * r.nodeOffsetMult
-				rightPointer := readNodeBySize(r.buffer, offset, 1, r.Metadata.RecordSize)
+				rightPointer, err := readNodeBySize(r.buffer, offset, 1, r.Metadata.RecordSize)
+				if err != nil {
+					yield(Result{
+						ip:        mappedIP(node.ip),
+						prefixLen: uint8(node.bit),
+						err:       err,
+					})
+					return
+				}
 
 				node.bit++
 				nodes = append(nodes, netNode{
@@ -198,7 +220,16 @@ func (r *Reader) NetworksWithin(prefix netip.Prefix, options ...NetworksOption)
 					bit:     node.bit,
 				})
 
-				node.pointer = readNodeBySize(r.buffer, offset, 0, r.Metadata.RecordSize)
+				leftPointer, err := readNodeBySize(r.buffer, offset, 0, r.Metadata.RecordSize)
+				if err != nil {
+					yield(Result{
+						ip:        mappedIP(node.ip),
+						prefixLen: uint8(node.bit),
+						err:       err,
+					})
+					return
+				}
+				node.pointer = leftPointer
 			}
 		}
 	}