noproxy: replace atoi with curlx_str_number

To better reject junk and detect overflows. There were already
additional precautions and protections in place, but this is cleaner.

Extended the 1614 unit tests with some more bad syntax cases.

Closes #19475

diff --git a/lib/noproxy.c b/lib/noproxy.c
index b9e8492fd6e4fc575e90a9b18743ef8e8106e82e..1e19c369c0d9cec4b690b859780dc15d926c91ad 100644 (file)
--- a/lib/noproxy.c
+++ b/lib/noproxy.c
@@ -166,9 +166,12 @@ static bool match_ip(int type, const char *token, size_t tokenlen,
   slash = strchr(check, '/');
   /* if the slash is part of this token, use it */
   if(slash) {
-    /* if the bits variable gets a crazy value here, that is fine as
-       the value will then be rejected in the cidr function */
-    bits = (unsigned int)atoi(slash + 1);
+    curl_off_t value;
+    const char *p = &slash[1];
+    if(curlx_str_number(&p, &value, 128) || *p)
+      return FALSE;
+    /* a too large value is rejected in the cidr function below */
+    bits = (unsigned int)value;
     *slash = 0; /* null-terminate there */
   }
   if(type == TYPE_IPV6)

diff --git a/tests/data/test1614 b/tests/data/test1614
index 504d328fc6d0f1a34c39c77470e2b30d1d0ce479..8e8f6b3f4d0f2c9e1bab3536dc9467f585dc4182 100644 (file)
--- a/tests/data/test1614
+++ b/tests/data/test1614
@@ -2,6 +2,7 @@
 <info>
 <keywords>
 unittest
+noproxy
 </keywords>
 </info>
 

diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c
index 9ba5f95ebb62d37ea94312ba8af7beb56169c4c2..10140ee60282e2987e8e8be7b20d29d2566861cf 100644 (file)
--- a/tests/unit/unit1614.c
+++ b/tests/unit/unit1614.c
@@ -99,8 +99,14 @@ static CURLcode test_unit1614(const char *arg)
     { "foobar", "foobar", TRUE},
     { "192.168.0.1", "foobar", FALSE},
     { "192.168.0.1", "192.168.0.0/16", TRUE},
+    { "192.168.0.1", "192.168.0.0/16a", FALSE},
+    { "192.168.0.1", "192.168.0.0/16 ", TRUE},
+    { "192.168.0.1", "192.168.0.0/a16", FALSE},
+    { "192.168.0.1", "192.168.0.0/ 16", FALSE},
     { "192.168.0.1", "192.168.0.0/24", TRUE},
     { "192.168.0.1", "192.168.0.0/32", FALSE},
+    { "192.168.0.1", "192.168.0.1/32", TRUE},
+    { "192.168.0.1", "192.168.0.1/33", FALSE},
     { "192.168.0.1", "192.168.0.0", FALSE},
     { "192.168.1.1", "192.168.0.0/24", FALSE},
     { "192.168.1.1", "192.168.0.0/33", FALSE},
@@ -111,7 +117,13 @@ static CURLcode test_unit1614(const char *arg)
     { "[::1]", "foo, bar, ::1/64", TRUE},
     { "[::1]", "::1/64", TRUE},
     { "[::1]", "::1/96", TRUE},
+    { "[::1]", "::1/129", FALSE},
+    { "[::1]", "::1/128", TRUE},
     { "[::1]", "::1/127", TRUE},
+    { "[::1]", "::1/a127", FALSE},
+    { "[::1]", "::1/127a", FALSE},
+    { "[::1]", "::1/ 127", FALSE},
+    { "[::1]", "::1/127 ", TRUE},
     { "[::1]", "::1/126", TRUE},
     { "[::1]", "::1/125", TRUE},
     { "[::1]", "::1/124", TRUE},