noproxy: test bad ipv6 net size first

No need to parse anything if the size is out of range.

Added some tests to this effect to test 1614.

Closes #13902
This commit is contained in:
Daniel Stenberg 2024-06-06 22:58:45 +02:00
parent b9c2a56be2
commit 4e71f134e5
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 8 additions and 2 deletions

View File

@ -89,12 +89,12 @@ UNITTEST bool Curl_cidr6_match(const char *ipv6,
bytes = bits / 8;
rest = bits & 0x07;
if((bytes > 16) || ((bytes == 16) && rest))
return FALSE;
if(1 != Curl_inet_pton(AF_INET6, ipv6, address))
return FALSE;
if(1 != Curl_inet_pton(AF_INET6, network, check))
return FALSE;
if((bytes > 16) || ((bytes == 16) && rest))
return FALSE;
if(bytes && memcmp(address, check, bytes))
return FALSE;
if(rest && !((address[bytes] ^ check[bytes]) & (0xff << (8 - rest))))
@ -231,6 +231,8 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy)
slash = strchr(check, '/');
/* if the slash is part of this token, use it */
if(slash) {
/* if the bits variable gets a crazy value here, that is fine as
the value will then be rejected in the cidr function */
bits = (unsigned int)atoi(slash + 1);
*slash = 0; /* null terminate there */
}

View File

@ -110,10 +110,14 @@ UNITTEST_START
{ "192.168.0.1", "192.168.0.0/32", FALSE},
{ "192.168.0.1", "192.168.0.0", FALSE},
{ "192.168.1.1", "192.168.0.0/24", FALSE},
{ "192.168.1.1", "192.168.0.0/33", FALSE},
{ "192.168.1.1", "foo, bar, 192.168.0.0/24", FALSE},
{ "192.168.1.1", "foo, bar, 192.168.0.0/16", TRUE},
{ "[::1]", "foo, bar, 192.168.0.0/16", FALSE},
{ "[::1]", "foo, bar, ::1/64", TRUE},
{ "[::1]", "::1/64", TRUE},
{ "[::1]", "::1/96", TRUE},
{ "[::1]", "::1/129", FALSE},
{ "bar", "foo, bar, ::1/64", TRUE},
{ "BAr", "foo, bar, ::1/64", TRUE},
{ "BAr", "foo,,,,, bar, ::1/64", TRUE},