From 6ef4871f5d56d5d7e99dfb65d69bf47e9861887b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 6 Oct 2025 10:20:45 +0200 Subject: [PATCH] ftp: improve fragile check for first digit > 3 In a case where rubbish would be sent in the line something that isn't a digit could be first in line and treated as less than '3'. Prevent this risk by first doing a check that the byte is a digit. Reported-by: Joshua Rogers Closes #18870 --- lib/ftp.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/lib/ftp.c b/lib/ftp.c index 77db98c005..402c13a07c 100644 --- a/lib/ftp.c +++ b/lib/ftp.c @@ -449,11 +449,14 @@ static CURLcode ftp_check_ctrl_on_data_wait(struct Curl_easy *data, bool response = FALSE; /* First check whether there is a cached response from server */ - if(curlx_dyn_len(&pp->recvbuf) && (*curlx_dyn_ptr(&pp->recvbuf) > '3')) { - /* Data connection could not be established, let's return */ - infof(data, "There is negative response in cache while serv connect"); - (void)getftpresponse(data, &nread, &ftpcode); - return CURLE_FTP_ACCEPT_FAILED; + if(curlx_dyn_len(&pp->recvbuf)) { + const char *l = curlx_dyn_ptr(&pp->recvbuf); + if(!ISDIGIT(*l) || (*l > '3')) { + /* Data connection could not be established, let's return */ + infof(data, "There is negative response in cache while serv connect"); + (void)getftpresponse(data, &nread, &ftpcode); + return CURLE_FTP_ACCEPT_FAILED; + } } if(pp->overflow) -- 2.47.3