From: Daniel Stenberg Date: Wed, 12 Nov 2025 07:17:48 +0000 (+0100) Subject: noproxy: replace atoi with curlx_str_number X-Git-Tag: rc-8_18_0-1~343 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97b0abb46bc03e6f59a90666df6f0dc138fa2a04;p=thirdparty%2Fcurl.git noproxy: replace atoi with curlx_str_number To better reject junk and detect overflows. There were already additional precautions and protections in place, but this is cleaner. Extended the 1614 unit tests with some more bad syntax cases. Closes #19475 --- diff --git a/lib/noproxy.c b/lib/noproxy.c index b9e8492fd6..1e19c369c0 100644 --- a/lib/noproxy.c +++ b/lib/noproxy.c @@ -166,9 +166,12 @@ static bool match_ip(int type, const char *token, size_t tokenlen, slash = strchr(check, '/'); /* if the slash is part of this token, use it */ if(slash) { - /* if the bits variable gets a crazy value here, that is fine as - the value will then be rejected in the cidr function */ - bits = (unsigned int)atoi(slash + 1); + curl_off_t value; + const char *p = &slash[1]; + if(curlx_str_number(&p, &value, 128) || *p) + return FALSE; + /* a too large value is rejected in the cidr function below */ + bits = (unsigned int)value; *slash = 0; /* null-terminate there */ } if(type == TYPE_IPV6) diff --git a/tests/data/test1614 b/tests/data/test1614 index 504d328fc6..8e8f6b3f4d 100644 --- a/tests/data/test1614 +++ b/tests/data/test1614 @@ -2,6 +2,7 @@ unittest +noproxy diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c index 9ba5f95ebb..10140ee602 100644 --- a/tests/unit/unit1614.c +++ b/tests/unit/unit1614.c @@ -99,8 +99,14 @@ static CURLcode test_unit1614(const char *arg) { "foobar", "foobar", TRUE}, { "192.168.0.1", "foobar", FALSE}, { "192.168.0.1", "192.168.0.0/16", TRUE}, + { "192.168.0.1", "192.168.0.0/16a", FALSE}, + { "192.168.0.1", "192.168.0.0/16 ", TRUE}, + { "192.168.0.1", "192.168.0.0/a16", FALSE}, + { "192.168.0.1", "192.168.0.0/ 16", FALSE}, { "192.168.0.1", "192.168.0.0/24", TRUE}, { "192.168.0.1", "192.168.0.0/32", FALSE}, + { "192.168.0.1", "192.168.0.1/32", TRUE}, + { "192.168.0.1", "192.168.0.1/33", FALSE}, { "192.168.0.1", "192.168.0.0", FALSE}, { "192.168.1.1", "192.168.0.0/24", FALSE}, { "192.168.1.1", "192.168.0.0/33", FALSE}, @@ -111,7 +117,13 @@ static CURLcode test_unit1614(const char *arg) { "[::1]", "foo, bar, ::1/64", TRUE}, { "[::1]", "::1/64", TRUE}, { "[::1]", "::1/96", TRUE}, + { "[::1]", "::1/129", FALSE}, + { "[::1]", "::1/128", TRUE}, { "[::1]", "::1/127", TRUE}, + { "[::1]", "::1/a127", FALSE}, + { "[::1]", "::1/127a", FALSE}, + { "[::1]", "::1/ 127", FALSE}, + { "[::1]", "::1/127 ", TRUE}, { "[::1]", "::1/126", TRUE}, { "[::1]", "::1/125", TRUE}, { "[::1]", "::1/124", TRUE},