From 4c49ed1b7b817d5a4e991a88aa1b5a68e6c7975e Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Tue, 2 Jun 2026 09:10:44 +0200 Subject: [PATCH] os400sys: fix theoretical length overflows When converting a `size_t` to `unsigned int`. Another instance spotted by Copilot. Reported-by: Gao Liyou Ref: #21825 Closes #21840 --- projects/OS400/os400sys.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/projects/OS400/os400sys.c b/projects/OS400/os400sys.c index 36ed2480ea..dbceaf6259 100644 --- a/projects/OS400/os400sys.c +++ b/projects/OS400/os400sys.c @@ -370,6 +370,10 @@ static int Curl_gss_convert_in_place(OM_uint32 *minor_status, gss_buffer_t buf) return 0; } +/* Max string input length is a precaution against abuse and to detect junk + input easier and better. */ +#define CURL_MAX_INPUT_LENGTH 8000000 + OM_uint32 Curl_gss_import_name_a(OM_uint32 *minor_status, gss_buffer_t in_name, gss_OID in_name_type, gss_name_t *out_name) { @@ -381,7 +385,14 @@ OM_uint32 Curl_gss_import_name_a(OM_uint32 *minor_status, gss_buffer_t in_name, return gss_import_name(minor_status, in_name, in_name_type, out_name); memcpy((char *)&in, (char *)in_name, sizeof(in)); - i = in.length; + if(in.length > CURL_MAX_INPUT_LENGTH) { + if(minor_status) + /* !checksrc! disable ERRNOVAR 1 */ + *minor_status = ENOMEM; + + return GSS_S_FAILURE; + } + i = (unsigned int)in.length; in.value = malloc(i + 1); if(!in.value) { @@ -445,8 +456,15 @@ Curl_gss_init_sec_context_a(OM_uint32 *minor_status, if(inp) { if(inp->length && inp->value) { - unsigned int i = inp->length; + unsigned int i; + if(inp->length > CURL_MAX_INPUT_LENGTH) { + if(minor_status) + /* !checksrc! disable ERRNOVAR 1 */ + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + i = (unsigned int)inp->length; in.value = malloc(i + 1); if(!in.value) { if(minor_status)