From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 6 Oct 2025 08:20:45 +0000 (+0200)
Subject: ftp: improve fragile check for first digit > 3
X-Git-Tag: rc-8_17_0-1~113
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6ef4871f5d56d5d7e99dfb65d69bf47e9861887b;p=thirdparty%2Fcurl.git

ftp: improve fragile check for first digit > 3

In a case where rubbish would be sent in the line something that isn't a
digit could be first in line and treated as less than '3'. Prevent this
risk by first doing a check that the byte is a digit.

Reported-by: Joshua Rogers
Closes #18870
---

diff --git a/lib/ftp.c b/lib/ftp.c
index 77db98c005..402c13a07c 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -449,11 +449,14 @@ static CURLcode ftp_check_ctrl_on_data_wait(struct Curl_easy *data,
   bool response = FALSE;
 
   /* First check whether there is a cached response from server */
-  if(curlx_dyn_len(&pp->recvbuf) && (*curlx_dyn_ptr(&pp->recvbuf) > '3')) {
-    /* Data connection could not be established, let's return */
-    infof(data, "There is negative response in cache while serv connect");
-    (void)getftpresponse(data, &nread, &ftpcode);
-    return CURLE_FTP_ACCEPT_FAILED;
+  if(curlx_dyn_len(&pp->recvbuf)) {
+    const char *l = curlx_dyn_ptr(&pp->recvbuf);
+    if(!ISDIGIT(*l) || (*l > '3')) {
+      /* Data connection could not be established, let's return */
+      infof(data, "There is negative response in cache while serv connect");
+      (void)getftpresponse(data, &nread, &ftpcode);
+      return CURLE_FTP_ACCEPT_FAILED;
+    }
   }
 
   if(pp->overflow)