urlapi: make sure no +/- signs are accepted in IPv4 numericals

Follow-up to 56a037cc0ad1b2. Extends test 1560 to verify. Reported-by: Tuomas Siipola Fixes #6916 Closes #6917
author: Daniel Stenberg <daniel@haxx.se> 2021-04-19 22:58:54 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2021-04-21 09:17:55 +0200
commit: 04488851e291ea0fc3f32e87ea637afcf1c2ca28 (patch)
tree: c08e26adf453232c65412e4d1a8a35f92a6e6dd1 /lib
parent: 9cb48457c6a9db533d6759a31a49ba13f1bc591b (diff)
download: curl-04488851e291ea0fc3f32e87ea637afcf1c2ca28.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/urlapi.c b/lib/urlapi.c
index 340dc33df..6483208ec 100644
--- a/lib/urlapi.c
+++ b/lib/urlapi.c
@@ -686,7 +686,11 @@ static bool ipv4_normalize(const char *hostname, char *outp, size_t olen)
 
   while(!done) {
     char *endp;
-    unsigned long l = strtoul(c, &endp, 0);
+    unsigned long l;
+    if((*c < '0') || (*c > '9'))
+      /* most importantly this doesn't allow a leading plus or minus */
+      return FALSE;
+    l = strtoul(c, &endp, 0);
 
     /* overflow or nothing parsed at all */
     if(((l == ULONG_MAX) && (errno == ERANGE)) ||  (endp == c))
author	Daniel Stenberg <daniel@haxx.se>	2021-04-19 22:58:54 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2021-04-21 09:17:55 +0200
commit	04488851e291ea0fc3f32e87ea637afcf1c2ca28 (patch)
tree	c08e26adf453232c65412e4d1a8a35f92a6e6dd1 /lib
parent	9cb48457c6a9db533d6759a31a49ba13f1bc591b (diff)
download	curl-04488851e291ea0fc3f32e87ea637afcf1c2ca28.tar.gz