URL: <https://savannah.gnu.org/bugs/?68295>
Summary: is_valid_port: undefined behavior with atoi on
overflow
Group: GNU Wget
Submitter: sdainard
Submitted: Wed 29 Apr 2026 06:32:17 PM UTC
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Name: Samuel Dainard
Originator Email:
Open/Closed: Open
Discussion Lock: Unlocked
Release: trunk
Operating System: None
Reproducibility: None
Fixed Release: None
Planned Release: None
Regression: None
Work Required: None
Patch Included: Yes
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Wed 29 Apr 2026 06:32:17 PM UTC By: sdainard <sdainard>
The is_valid_port() function introduced in commit c419542d uses atoi() to
parse the port string. atoi() has undefined behavior on integer overflow per
the C standard.
Since this function processes untrusted URL input, an attacker-controlled
string like "99999999999" triggers UB before the range check can reject it.
Replacing atoi() with strtoul() avoids UB — strtoul sets errno to ERANGE
on overflow. The end pointer also eliminates the need for the separate
strspn() call.
Patch attached.
_______________________________________________________
File Attachments:
Name: Fix-undefined-behavior-in-is_valid_port.patch Size: 1.6KiB
<https://file.savannah.gnu.org/file/Fix-undefined-behavior-in-is_valid_port.patch?file_id=58526>
AGPL NOTICE
These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://savannah.gnu.org/source/savane-c36938be85ff6c1b727bc7dd7fd30e48f9142870.tar.gz
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?68295>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
signature.asc
Description: PGP signature
