From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 22 Sep 2025 09:08:43 +0000 (+0200)
Subject: socks_gssapi: reject too long tokens
X-Git-Tag: rc-8_17_0-2~380
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7cb5e39f3682daf99d21a25c61841e1bf05ea693;p=thirdparty%2Fcurl.git

socks_gssapi: reject too long tokens

If GSS returns a token to use that is longer than 65535 bytes, it can't
be transmitted since the length field is an unisgned 16 bit field and
thus needs to trigger an error.

Reported in Joshua's sarif data

Closes #18681
---

diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c
index 0a7ddd5ff1..037515e576 100644
--- a/lib/socks_gssapi.c
+++ b/lib/socks_gssapi.c
@@ -195,7 +195,9 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
     if(gss_token != GSS_C_NO_BUFFER)
       gss_release_buffer(&gss_status, &gss_recv_token);
     if(check_gss_err(data, gss_major_status,
-                     gss_minor_status, "gss_init_sec_context")) {
+                     gss_minor_status, "gss_init_sec_context") ||
+       /* the size needs to fit in a 16 bit field */
+       (gss_send_token.length > 0xffff)) {
       gss_release_name(&gss_status, &server);
       gss_release_buffer(&gss_status, &gss_recv_token);
       gss_release_buffer(&gss_status, &gss_send_token);