- Fix for NLnetLabs#1062: declaration before statement, avoid print o…

…f null, and redundant check for array size. And changelog note for merge of NLnetLabs#1062.
jedisct1 · May 7, 2024 · c085a53 · c085a53
1 parent 49569b8
commit c085a53
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/doc/Changelog b/doc/Changelog
@@ -1,3 +1,9 @@
+7 May 2024: Wouter
+	- Merge #1062: Fix potential overflow bug while parsing port in
+	  function cfg_mark_ports.
+	- Fix for #1062: declaration before statement, avoid print of null,
+	  and redundant check for array size.
+
 1 May 2024: Wouter
 	- Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li
 	  from the Network and Information Security Lab of Tsinghua University

diff --git a/util/config_file.c b/util/config_file.c
@@ -1776,12 +1776,13 @@ init_outgoing_availports(int* a, int num)
 static int
 extract_port_from_str(const char* str, int max_port) {
 	char* endptr;
+	long int value;
 	if (str == NULL || *str == '\0') {
-		log_err("str: '%s' is invalid", str);
+		log_err("str: '%s' is invalid", (str?str:"NULL"));
 		return -1;
 	}
 
-	long int value = strtol(str, &endptr, 10);
+	value = strtol(str, &endptr, 10);
 	if ((endptr == str) || (*endptr != '\0'))  {
 		log_err("cannot parse port number '%s'", str);
 		return -1;
@@ -1820,7 +1821,8 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
 			log_err("Failed to parse the port number");
 			return 0;
 		}
-		avail[port] = (allow?port:0);
+		if(port < num)
+			avail[port] = (allow?port:0);
 	} else {
 		char buf[16];
 		int i, low;