From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Mon, 9 Nov 2020 23:11:07 +0000 (+0100)
Subject: auth: mech-scram - Properly size temporary string buffers.
X-Git-Tag: 2.3.18~76
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a164ea37869e7bda3f2c7bebd54a12262a9ab342;p=thirdparty%2Fdovecot%2Fcore.git

auth: mech-scram - Properly size temporary string buffers.
---

diff --git a/src/auth/mech-scram.c b/src/auth/mech-scram.c
index b88d2ab666..9ad1c62159 100644
--- a/src/auth/mech-scram.c
+++ b/src/auth/mech-scram.c
@@ -69,7 +69,8 @@ get_scram_server_first(struct scram_auth_request *request,
 	snonce[sizeof(snonce)-1] = '\0';
 	request->snonce = p_strndup(request->pool, snonce, sizeof(snonce));
 
-	str = t_str_new(sizeof(snonce));
+	str = t_str_new(32 + strlen(request->cnonce) + sizeof(snonce) +
+			strlen(salt));
 	str_printfa(str, "r=%s%s,s=%s,i=%d", request->cnonce, request->snonce,
 		    salt, iter);
 	return str_c(str);
@@ -91,7 +92,7 @@ static const char *get_scram_server_final(struct scram_auth_request *request)
 	hmac_update(&ctx, auth_message, strlen(auth_message));
 	hmac_final(&ctx, server_signature);
 
-	str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature)));
+	str = t_str_new(2 + MAX_BASE64_ENCODED_SIZE(sizeof(server_signature)));
 	str_append(str, "v=");
 	base64_encode(server_signature, sizeof(server_signature), str);
 
@@ -334,7 +335,7 @@ parse_scram_client_final(struct scram_auth_request *request,
 	}
 
 	cbind_input = t_strconcat(request->gs2_cbind_flag, ",,", NULL);
-	str = t_str_new(MAX_BASE64_ENCODED_SIZE(strlen(cbind_input)));
+	str = t_str_new(2 + MAX_BASE64_ENCODED_SIZE(strlen(cbind_input)));
 	str_append(str, "c=");
 	base64_encode(cbind_input, strlen(cbind_input), str);