examples: replace atoi() with strtol() for safe number parsing

Replace all usages on atoi() in examples with strtol() and add validation for the same. Signed-off-by: Manas Trivedi <manas.trivedi.020@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2026-06-11 12:56:21 +09:00 · 2026-03-24 15:26:44 +00:00
parent 51d715ec91
commit 08c7d67fac
2 changed files with 32 additions and 9 deletions
--- a/examples/samplesshd-kbdint.c
+++ b/examples/samplesshd-kbdint.c
@@ -40,7 +40,7 @@ clients must be made or how a client should react.
 #endif
 #endif

-static int port = 22;
+static const char* port = "22";
 static bool authenticated = false;

 #ifdef WITH_PCAP
@@ -139,10 +139,10 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
  ssh_bind sshbind = state->input;

  switch (key) {
-    case 'p':
-      ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
-      port = atoi(arg);
-      break;
+    case 'p': 
+        ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
+        port = arg;
+        break;
    case 'r':
    case 'k':
      ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
@@ -315,7 +315,7 @@ int main(int argc, char **argv)
        printf("Error listening to socket: %s\n", ssh_get_error(sshbind));
        return 1;
    }
-    printf("Started sample libssh sshd on port %d\n", port);
+    printf("Started sample libssh sshd on port %s\n", port);
    printf("You can login as the user %s with the password %s\n", SSHD_USER,
                                                            SSHD_PASSWORD);
    r = ssh_bind_accept(sshbind, session);
--- a/examples/sshnetcat.c
+++ b/examples/sshnetcat.c
@@ -41,6 +41,7 @@ clients must be made or how a client should react.

 char *host = NULL;
 const char *desthost = "localhost";
+static int port_num = 22;
 const char *port = "22";

 #ifdef WITH_PCAP
@@ -74,8 +75,23 @@ static int opts(int argc, char **argv)
        host = argv[optind++];
    if (optind < argc)
        desthost = argv[optind++];
-    if (optind < argc)
-        port = argv[optind++];
+    if (optind < argc) {
+        char *endptr = NULL;
+        long tmp;
+
+        errno = 0;
+        tmp = strtol(argv[optind], &endptr, 10);
+
+        if (errno != 0 || endptr == argv[optind] || *endptr != '\0' ||
+            tmp < 0 || tmp > 65535) {
+            fprintf(stderr, "Invalid port: %s\n", argv[optind]);
+            usage();
+        }
+
+        port = argv[optind];
+        port_num = (int)tmp;
+        optind++;
+    }
    if (host == NULL)
        usage();
    return 0;
@@ -192,12 +208,19 @@ static void forwarding(ssh_session session)
 {
    ssh_channel channel;
    int r;
+
    channel = ssh_channel_new(session);
-    r = ssh_channel_open_forward(channel, desthost, atoi(port), "localhost", 22);
+
+    r = ssh_channel_open_forward(channel,
+                                 desthost,
+                                 port_num,
+                                 "localhost",
+                                 22);
    if (r < 0) {
        printf("error forwarding port : %s\n", ssh_get_error(session));
        return;
    }
+
    select_loop(session, channel);
 }