romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-14 21:41:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

socks_gssapi: reject too long tokens

Browse source 
If GSS returns a token to use that is longer than 65535 bytes, it can't
be transmitted since the length field is an unisgned 16 bit field and
thus needs to trigger an error.

Reported in Joshua's sarif data

Closes #18681
This commit is contained in:
Daniel Stenberg 2025-09-22 11:08:43 +02:00
parent 976a08985a
commit 7cb5e39f36
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
lib/socks_gssapi.c
View file

@ -195,7 +195,9 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
if(gss_token != GSS_C_NO_BUFFER)
gss_release_buffer(&gss_status, &gss_recv_token);
if(check_gss_err(data, gss_major_status,
gss_minor_status, "gss_init_sec_context")) {
gss_minor_status, "gss_init_sec_context") ||
/* the size needs to fit in a 16 bit field */
(gss_send_token.length > 0xffff)) {
gss_release_name(&gss_status, &server);
gss_release_buffer(&gss_status, &gss_recv_token);
gss_release_buffer(&gss_status, &gss_send_token);