Damien Miller <djm@mindrot.org> wrote:

> On Sun, 30 Nov 2025, Theo de Raadt wrote:
> 
> > I think
> > 
> >   Nan(Bull.shit)
> > 
> > is also valid input nowadays.
> > 
> > The standards groups are commited to making things worse.
> 
> sigh, we really can't have nice things. I think this avoids all
> of these wacky forms. I guess sscanf() would be no better here either.
> 
> We don't setlocale(LC_NUMERIC, ...) in OpenSSH, so 0,111 shouldn't
> be a problem. If that somehow snuck in, then with the below it would
> fail reasonably safely AFAIK.
> 
> Unless you want to do a strtodnum :)
> 
> diff --git a/misc.c b/misc.c
> index 20eb305..b2276bb 100644
> --- a/misc.c
> +++ b/misc.c
> @@ -619,6 +619,9 @@ convtime_usec(const char *s)
>  		errno = 0;
>  		if ((val = strtod(p, &endp)) < 0 || errno != 0 || p == endp)
>  			return -1;
> +		/* Allow only decimal forms */
> +		if (p + strspn(p, "0123456789.") != endp)
> +			return -1;
>  		start_p = p;
>  		p = endp;

That looks like a reasonable way of catching the problem.  It removes the
ability to exercise -, +, NaN Infinity, ( ).  It assumes the whitespace is
earlier.  It pins the trailing multiplier character.