Commit c56f9797 authored by Jonathan Nieder's avatar Jonathan Nieder Committed by Daniel Stenberg
Browse files

sasl: allow arbitrarily long username and password 

Use appropriately sized buffers on the heap instead of fixed-size
buffers on the stack, to allow for longer usernames and passwords.

Callers never pass anything longer than MAX_CURL_USER_LENGTH (resp.
MAX_CURL_PASSWORD_LENGTH), so no functional change inteded yet.
parent 9281be36

lib/curl_sasl.c

+16 −9
Original line number Diff line number Diff line
@@ -94,18 +94,18 @@ CURLcode Curl_sasl_create_plain_message(struct SessionHandle *data, 
                                        const char *passwdp,

                                        char **outptr, size_t *outlen)

{

  char plainauth[2 * MAX_CURL_USER_LENGTH + MAX_CURL_PASSWORD_LENGTH];

  CURLcode result;

  char *plainauth;

  size_t ulen;

  size_t plen;



  ulen = strlen(userp);

  plen = strlen(passwdp);



  if(2 * ulen + plen + 2 > sizeof(plainauth)) {

  plainauth = malloc(2 * ulen + plen + 2);

  if(!plainauth) {

    *outlen = 0;

    *outptr = NULL;



    /* Plainauth too small */

    return CURLE_OUT_OF_MEMORY;

  }
@@ -117,8 +117,10 @@ CURLcode Curl_sasl_create_plain_message(struct SessionHandle *data, 
  memcpy(plainauth + 2 * ulen + 2, passwdp, plen);



  /* Base64 encode the reply */

  return Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr,

  result = Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr,

                              outlen);

  Curl_safefree(plainauth);

  return result;

}



/*
@@ -190,7 +192,7 @@ CURLcode Curl_sasl_create_cram_md5_message(struct SessionHandle *data, 
  size_t chlglen = 0;

  HMAC_context *ctxt;

  unsigned char digest[MD5_DIGEST_LEN];

  char response[MAX_CURL_USER_LENGTH + 2 * MD5_DIGEST_LEN + 1];

  char *response;



  /* Decode the challenge if necessary */

  if(chlg64len && *chlg64 != '=') {
@@ -220,14 +222,19 @@ CURLcode Curl_sasl_create_cram_md5_message(struct SessionHandle *data, 
  Curl_HMAC_final(ctxt, digest);



  /* Prepare the response */

  snprintf(response, sizeof(response),

  response = aprintf(

      "%s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",

           userp, digest[0], digest[1], digest[2], digest[3], digest[4],

           digest[5], digest[6], digest[7], digest[8], digest[9], digest[10],

           digest[11], digest[12], digest[13], digest[14], digest[15]);

  if(!response)

    return CURLE_OUT_OF_MEMORY;



  /* Base64 encode the reply */

  return Curl_base64_encode(data, response, 0, outptr, outlen);

  result = Curl_base64_encode(data, response, 0, outptr, outlen);



  Curl_safefree(response);

  return result;

}



/*