# HG changeset patch
# User Matt Johnston <matt@codeconstruct.com.au>
# Date 1634052669 -28800
# Node ID 870f6e386a0bb2919c705d44369bd820f67540d2
# Parent  a974a80f5f4419ed51ee97a8f6b044c72bc3604c
Partial strings from strtoul should return error

diff -r a974a80f5f44 -r 870f6e386a0b dbutil.c
--- a/dbutil.c	Tue Oct 12 21:29:42 2021 +0800
+++ b/dbutil.c	Tue Oct 12 23:31:09 2021 +0800
@@ -583,8 +583,15 @@
 /* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE, with the result in *val */
 int m_str_to_uint(const char* str, unsigned int *val) {
 	unsigned long l;
-	errno = 0;
-	l = strtoul(str, NULL, 10);
+	char *endp;
+
+	l = strtoul(str, &endp, 10);
+
+	if (endp == str || *endp != '\0') {
+		// parse error
+		return DROPBEAR_FAILURE;
+	}
+
 	/* The c99 spec doesn't actually seem to define EINVAL, but most platforms
 	 * I've looked at mention it in their manpage */
 	if ((l == 0 && errno == EINVAL)