Skip to content

hardening: replace silent atoi/atof/atoll coercion with validated parsing #470

Open
Open
hardening: replace silent atoi/atof/atoll coercion with validated parsing#470
@somethingwithproof

Description

@somethingwithproof
somethingwithproof
opened on Mar 12, 2026

Summary

Critical config and DB-loaded values are parsed with atoi/atof/atoll, which silently convert invalid input to 0 and do not provide range/error visibility.

Why this matters

  • Invalid numeric strings can silently become operational values.
  • Can unintentionally set ports/timeouts/retries/thread counts to unsafe defaults.
  • Overflow/underflow behavior is not handled explicitly.

Evidence

  • poller.c parses many host fields via atoi/atof/atoll.
  • util.c config parsing and runtime settings also use silent conversion.
  • Current code usually checks for NULL input but not conversion validity.

Scope

  • Introduce validated parse helpers (strtol/strtoul/strtod + errno + endptr checks).
  • Add range bounds per field (for example port, timeout, retries, thread limits).
  • Standardize failure behavior (log + safe fallback or skip item) per field criticality.

Proposed implementation

  1. Add shared parsing helpers in util.c/util.h (or a dedicated parse module).
  2. Migrate high-impact call sites first:
    • host loading in poller.c
    • config/runtime option parsing in util.c
    • CLI integer parsing in spine.c where applicable
  3. Emit structured warnings for invalid values with field name + source.
  4. Add bounds checks and explicit clamps/rejections.

Acceptance Criteria

  • No critical path relies on raw atoi/atof/atoll conversions.
  • Invalid numeric inputs are detectable in logs and do not silently become 0.
  • Field ranges are enforced consistently.
  • Existing valid configs continue to behave unchanged.

Out of scope

  • Refactoring unrelated parsing logic.
  • Broad configuration format redesign.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions