From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: bgpd: don't use strtoul in str2key
To: tech@openbsd.org
Date: Tue, 2 Apr 2024 15:31:06 +0200

A similar change was done in ssh. The str2key() function uses strtoul() to
convert a string from hex. This is not the way strtoul() should be used
and instead just do it by hand.

-- 
:wq Claudio

Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v
diff -u -p -r1.457 parse.y
--- parse.y	20 Mar 2024 09:35:46 -0000	1.457
+++ parse.y	2 Apr 2024 13:28:22 -0000
@@ -4985,11 +4985,23 @@ expand_rule(struct filter_rule *rule, st
 	return (0);
 }
 
+static int
+h2i(char c)
+{
+	if (c >= '0' && c <= '9')
+		return c - '0';
+	else if (c >= 'a' && c <= 'f')
+		return c - 'a' + 10;
+	else if (c >= 'A' && c <= 'F')
+		return c - 'A' + 10;
+	else
+		return -1;
+}
+
 int
 str2key(char *s, char *dest, size_t max_len)
 {
-	unsigned int	i;
-	char		t[3];
+	size_t	i;
 
 	if (strlen(s) / 2 > max_len) {
 		yyerror("key too long");
@@ -5002,15 +5014,15 @@ str2key(char *s, char *dest, size_t max_
 	}
 
 	for (i = 0; i < strlen(s) / 2; i++) {
-		t[0] = s[2*i];
-		t[1] = s[2*i + 1];
-		t[2] = 0;
-		if (!isxdigit((unsigned char)t[0]) ||
-		    !isxdigit((unsigned char)t[1])) {
+		int hi, lo;
+
+		hi = h2i(s[2 * i]);
+		lo = h2i(s[2 * i + 1]);
+		if (hi == -1 || lo == -1) {
 			yyerror("key must be specified in hex");
 			return (-1);
 		}
-		dest[i] = strtoul(t, NULL, 16);
+		dest[i] = (hi << 4) | lo;
 	}
 
 	return (0);