From b2e0b4d008ee01ab8965e095822f31f9ff2da723 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 12 Nov 2025 08:49:13 +0100 Subject: [PATCH] libssh2: replace atoi() in ssh_force_knownhost_key_type Closes #19479 --- lib/vssh/libssh2.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c index 3ac8c92293..d3d6cb1dc9 100644 --- a/lib/vssh/libssh2.c +++ b/lib/vssh/libssh2.c @@ -748,19 +748,21 @@ static CURLcode ssh_force_knownhost_key_type(struct Curl_easy *data, if(store) { if(store->name) { if(store->name[0] == '[') { - int port = 0; + curl_off_t port; size_t kh_name_size = 0; + const char *p; const char *kh_name_end = strstr(store->name, "]:"); if(!kh_name_end) { infof(data, "Invalid host pattern %s in %s", store->name, data->set.str[STRING_SSH_KNOWNHOSTS]); continue; } - port = atoi(kh_name_end + 2); - if(kh_name_end && (port == conn->remote_port)) { + p = kh_name_end + 2; /* start of port number */ + if(!curlx_str_number(&p, &port, 0xffff) && + (kh_name_end && (port == conn->remote_port))) { kh_name_size = strlen(store->name) - 1 - strlen(kh_name_end); if(strncmp(store->name + 1, - conn->host.name, kh_name_size) == 0) { + conn->host.name, kh_name_size) == 0) { found = TRUE; break; }