From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 25 Sep 2025 09:30:24 +0000 (+0200)
Subject: socks_sspi: bail out on too long fields
X-Git-Tag: rc-8_17_0-2~361
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=943166fed3d1b8ce6a73b6a1de5de5338dda1428;p=thirdparty%2Fcurl.git

socks_sspi: bail out on too long fields

A probably unnecessary precaution but since the field sizes are 16 bit in the
protocol this makes sure to fail if they would ever be larger as that would go
wrong.

Reported in Joshua's sarif data

Closes #18719
---

diff --git a/lib/socks_sspi.c b/lib/socks_sspi.c
index 6afc3eac34..16e22d1f39 100644
--- a/lib/socks_sspi.c
+++ b/lib/socks_sspi.c
@@ -193,6 +193,11 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
     if(sspi_send_token.cbBuffer) {
       socksreq[0] = 1;    /* GSS-API subnegotiation version */
       socksreq[1] = 1;    /* authentication message type */
+      if(sspi_send_token.cbBuffer > 0xffff) {
+        /* needs to fit in an unsigned 16 bit field */
+        result = CURLE_COULDNT_CONNECT;
+        goto error;
+      }
       us_length = htons((unsigned short)sspi_send_token.cbBuffer);
       memcpy(socksreq + 2, &us_length, sizeof(short));
 
@@ -399,9 +404,13 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
       goto error;
     }
 
-    etbuf_size = sspi_w_token[0].cbBuffer +
-                 sspi_w_token[1].cbBuffer +
-                 sspi_w_token[2].cbBuffer;
+    etbuf_size = sspi_w_token[0].cbBuffer + sspi_w_token[1].cbBuffer +
+      sspi_w_token[2].cbBuffer;
+    if(etbuf_size > 0xffff) {
+      /* needs to fit in an unsigned 16 bit field */
+      result = CURLE_COULDNT_CONNECT;
+      goto error;
+    }
     etbuf = malloc(etbuf_size);
     if(!etbuf) {
       result = CURLE_OUT_OF_MEMORY;