Commit ef5b9874 authored by Steve Holme's avatar Steve Holme
Browse files

sasl_sspi: Don't use hard coded sizes in Kerberos V5 security data 

Don't use a hard coded size of 4 for the security layer and buffer size
in Curl_sasl_create_gssapi_security_message(), instead, use sizeof() as
we have done in the sasl_gssapi module.
parent 697592b3

lib/curl_sasl_sspi.c

+4 −5
Original line number Diff line number Diff line
@@ -1068,8 +1068,6 @@ CURLcode Curl_sasl_create_gssapi_security_message(struct SessionHandle *data, 
    max_size = 0;

  }



  outdata = htonl(max_size) | sec_layer;



  /* Allocate the trailer */

  trailer = malloc(sizes.cbSecurityTrailer);

  if(!trailer)
@@ -1084,7 +1082,7 @@ CURLcode Curl_sasl_create_gssapi_security_message(struct SessionHandle *data, 
  }



  /* Allocate our message */

  messagelen = 4 + strlen(user_name) + 1;

  messagelen = sizeof(outdata) + strlen(user_name) + 1;

  message = malloc(messagelen);

  if(!message) {

    Curl_safefree(trailer);
@@ -1098,8 +1096,9 @@ CURLcode Curl_sasl_create_gssapi_security_message(struct SessionHandle *data, 
     terminator. Note: Dispite RFC4752 Section 3.1 stating "The authorization

     identity is not terminated with the zero-valued (%x00) octet." it seems

     necessary to include it. */

  memcpy(message, &outdata, 4);

  strcpy((char *)message + 4, user_name);

  outdata = htonl(max_size) | sec_layer;

  memcpy(message, &outdata, sizeof(outdata));

  strcpy((char *) message + sizeof(outdata), user_name);

  Curl_unicodefree(user_name);



  /* Allocate the padding */