romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-14 22:41:40 +03:00
Code Issues Projects Releases Packages Wiki Activity

socks_sspi: bail out on too long fields

Browse source 
A probably unnecessary precaution but since the field sizes are 16 bit in the
protocol this makes sure to fail if they would ever be larger as that would go
wrong.

Reported in Joshua's sarif data

Closes #18719
This commit is contained in:
Daniel Stenberg 2025-09-25 11:30:24 +02:00
parent 6796147910
commit 943166fed3
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 12 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

15
lib/socks_sspi.c
View file

@ -193,6 +193,11 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
if(sspi_send_token.cbBuffer) {
socksreq[0] = 1; /* GSS-API subnegotiation version */
socksreq[1] = 1; /* authentication message type */
if(sspi_send_token.cbBuffer > 0xffff) {
/* needs to fit in an unsigned 16 bit field */
result = CURLE_COULDNT_CONNECT;
goto error;
}
us_length = htons((unsigned short)sspi_send_token.cbBuffer);
memcpy(socksreq + 2, &us_length, sizeof(short));
@ -399,9 +404,13 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
goto error;
}
etbuf_size = sspi_w_token[0].cbBuffer +
sspi_w_token[1].cbBuffer +
sspi_w_token[2].cbBuffer;
etbuf_size = sspi_w_token[0].cbBuffer + sspi_w_token[1].cbBuffer +
sspi_w_token[2].cbBuffer;
if(etbuf_size > 0xffff) {
/* needs to fit in an unsigned 16 bit field */
result = CURLE_COULDNT_CONNECT;
goto error;
}
etbuf = malloc(etbuf_size);
if(!etbuf) {
result = CURLE_OUT_OF_MEMORY;