| From 3c0fde94981b025271ffa1788ae425257841bf5a Mon Sep 17 00:00:00 2001 |
| From: rofl0r <rofl0r@users.noreply.github.com> |
| Date: Fri, 17 Oct 2025 22:57:39 +0000 |
| Subject: [PATCH] reqs: fix integer overflow in port number processing |
| |
| closes #586 |
| |
| CVE: CVE-2025-63938 |
| Upstream: https://github.com/tinyproxy/tinyproxy/commit/3c0fde94981b025271ffa1788ae425257841bf5a |
| Signed-off-by: Thomas Perale <thomas.perale@mind.be> |
| --- |
| src/reqs.c | 9 ++++++--- |
| 1 file changed, 6 insertions(+), 3 deletions(-) |
| |
| diff --git a/src/reqs.c b/src/reqs.c |
| index 52135a03..a562c68a 100644 |
| --- a/src/reqs.c |
| +++ b/src/reqs.c |
| @@ -174,7 +174,7 @@ static int strip_return_port (char *host) |
| { |
| char *ptr1; |
| char *ptr2; |
| - int port; |
| + unsigned port; |
| |
| ptr1 = strrchr (host, ':'); |
| if (ptr1 == NULL) |
| @@ -186,8 +186,11 @@ static int strip_return_port (char *host) |
| return 0; |
| |
| *ptr1++ = '\0'; |
| - if (sscanf (ptr1, "%d", &port) != 1) /* one conversion required */ |
| - return 0; |
| + |
| + port = atoi(ptr1); |
| + /* check that port string is in the valid range 1-0xffff) */ |
| + if(strlen(ptr1) > 5 || (port & 0xffff0000)) return 0; |
| + |
| return port; |
| } |
| |
