noproxy: replace atoi with curlx_str_number

To better reject junk and detect overflows. There were already additional precautions and protections in place, but this is cleaner. Extended the 1614 unit tests with some more bad syntax cases. Closes #19475
2026-04-15 01:51:41 +03:00 · 2025-11-12 08:17:48 +01:00 · 2025-11-12 08:17:48 +01:00 · 97b0abb46b
commit 97b0abb46b
parent 207721165e
3 changed files with 19 additions and 3 deletions
--- a/lib/noproxy.c
+++ b/lib/noproxy.c
@ -166,9 +166,12 @@ static bool match_ip(int type, const char *token, size_t tokenlen,
  slash = strchr(check, '/');
  /* if the slash is part of this token, use it */
  if(slash) {
-    /* if the bits variable gets a crazy value here, that is fine as
-       the value will then be rejected in the cidr function */
-    bits = (unsigned int)atoi(slash + 1);
+    curl_off_t value;
+    const char *p = &slash[1];
+    if(curlx_str_number(&p, &value, 128) || *p)
+      return FALSE;
+    /* a too large value is rejected in the cidr function below */
+    bits = (unsigned int)value;
    *slash = 0; /* null-terminate there */
  }
  if(type == TYPE_IPV6)
--- a/tests/data/test1614
+++ b/tests/data/test1614
@ -2,6 +2,7 @@
 <info>
 <keywords>
 unittest
+noproxy
 </keywords>
 </info>

--- a/tests/unit/unit1614.c
+++ b/tests/unit/unit1614.c
@ -99,8 +99,14 @@ static CURLcode test_unit1614(const char *arg)
    { "foobar", "foobar", TRUE},
    { "192.168.0.1", "foobar", FALSE},
    { "192.168.0.1", "192.168.0.0/16", TRUE},
+    { "192.168.0.1", "192.168.0.0/16a", FALSE},
+    { "192.168.0.1", "192.168.0.0/16 ", TRUE},
+    { "192.168.0.1", "192.168.0.0/a16", FALSE},
+    { "192.168.0.1", "192.168.0.0/ 16", FALSE},
    { "192.168.0.1", "192.168.0.0/24", TRUE},
    { "192.168.0.1", "192.168.0.0/32", FALSE},
+    { "192.168.0.1", "192.168.0.1/32", TRUE},
+    { "192.168.0.1", "192.168.0.1/33", FALSE},
    { "192.168.0.1", "192.168.0.0", FALSE},
    { "192.168.1.1", "192.168.0.0/24", FALSE},
    { "192.168.1.1", "192.168.0.0/33", FALSE},
@ -111,7 +117,13 @@ static CURLcode test_unit1614(const char *arg)
    { "[::1]", "foo, bar, ::1/64", TRUE},
    { "[::1]", "::1/64", TRUE},
    { "[::1]", "::1/96", TRUE},
+    { "[::1]", "::1/129", FALSE},
+    { "[::1]", "::1/128", TRUE},
    { "[::1]", "::1/127", TRUE},
+    { "[::1]", "::1/a127", FALSE},
+    { "[::1]", "::1/127a", FALSE},
+    { "[::1]", "::1/ 127", FALSE},
+    { "[::1]", "::1/127 ", TRUE},
    { "[::1]", "::1/126", TRUE},
    { "[::1]", "::1/125", TRUE},
    { "[::1]", "::1/124", TRUE},