From 4e71f134e5aa3bd77ec645f12826e1823d06b398 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 6 Jun 2024 22:58:45 +0200
Subject: [PATCH] noproxy: test bad ipv6 net size first

No need to parse anything if the size is out of range.

Added some tests to this effect to test 1614.

Closes #13902
---
 lib/noproxy.c         | 6 ++++--
 tests/unit/unit1614.c | 4 ++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/noproxy.c b/lib/noproxy.c
index 7df40b8d72..f57a50b43f 100644
--- a/lib/noproxy.c
+++ b/lib/noproxy.c
@@ -89,12 +89,12 @@ UNITTEST bool Curl_cidr6_match(const char *ipv6,
 
   bytes = bits / 8;
   rest = bits & 0x07;
+  if((bytes > 16) || ((bytes == 16) && rest))
+    return FALSE;
   if(1 != Curl_inet_pton(AF_INET6, ipv6, address))
     return FALSE;
   if(1 != Curl_inet_pton(AF_INET6, network, check))
     return FALSE;
-  if((bytes > 16) || ((bytes == 16) && rest))
-    return FALSE;
   if(bytes && memcmp(address, check, bytes))
     return FALSE;
   if(rest && !((address[bytes] ^ check[bytes]) & (0xff << (8 - rest))))
@@ -231,6 +231,8 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy)
           slash = strchr(check, '/');
           /* if the slash is part of this token, use it */
           if(slash) {
+            /* if the bits variable gets a crazy value here, that is fine as
+               the value will then be rejected in the cidr function */
             bits = (unsigned int)atoi(slash + 1);
             *slash = 0; /* null terminate there */
           }
diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c
index b516db2491..fd6f5849c8 100644
--- a/tests/unit/unit1614.c
+++ b/tests/unit/unit1614.c
@@ -110,10 +110,14 @@ UNITTEST_START
     { "192.168.0.1", "192.168.0.0/32", FALSE},
     { "192.168.0.1", "192.168.0.0", FALSE},
     { "192.168.1.1", "192.168.0.0/24", FALSE},
+    { "192.168.1.1", "192.168.0.0/33", FALSE},
     { "192.168.1.1", "foo, bar, 192.168.0.0/24", FALSE},
     { "192.168.1.1", "foo, bar, 192.168.0.0/16", TRUE},
     { "[::1]", "foo, bar, 192.168.0.0/16", FALSE},
     { "[::1]", "foo, bar, ::1/64", TRUE},
+    { "[::1]", "::1/64", TRUE},
+    { "[::1]", "::1/96", TRUE},
+    { "[::1]", "::1/129", FALSE},
     { "bar", "foo, bar, ::1/64", TRUE},
     { "BAr", "foo, bar, ::1/64", TRUE},
     { "BAr", "foo,,,,,              bar, ::1/64", TRUE},