]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
projects / thirdparty / dovecot / core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 433733d)
lib-oauth2: Fix potential crash or bad handling of JWT array values
authorTimo Sirainen <timo.sirainen@open-xchange.com>
Tue, 3 Feb 2026 11:37:36 +0000 (13:37 +0200)
committeraki.tuomi <aki.tuomi@open-xchange.com>
Fri, 6 Feb 2026 14:34:18 +0000 (14:34 +0000)
If the JWT had an array larger than 8 (fields array's initial size),
the code may have crashed or dropped some of the values in the array.

src/lib-oauth2/oauth2-jwt.c patch | blob | blame | history

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index 8ccff8ca144fb8449c482cda039bcfb9aa4f8599..afceda0a86392aae347fbb7d42c770cf2c9ef620 100644 (file)
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -396,7 +396,7 @@ oauth2_jwt_copy_fields(ARRAY_TYPE(oauth2_field) *fields,
                                else
                                        root->prefix = t_strconcat(jnode->name, "_", NULL);
                        } else {
-                               struct oauth2_field *field;
+                               struct oauth2_field *field = NULL, *field_iter;
                                const char *name;
 
                                if (subroot->array) {
@@ -405,11 +405,13 @@ oauth2_jwt_copy_fields(ARRAY_TYPE(oauth2_field) *fields,
                                                name = t_strdup_until(subroot->prefix, name);
                                        else
                                                name = subroot->prefix;
-                                       array_foreach_modifiable(fields, field) {
-                                               if (strcmp(field->name, name) == 0)
+                                       array_foreach_modifiable(fields, field_iter) {
+                                               if (strcmp(field_iter->name, name) == 0) {
+                                                       field = field_iter;
                                                        break;
+                                               }
                                        }
-                                       if (field == NULL || field->name == NULL) {
+                                       if (field == NULL) {
                                                field = array_append_space(fields);
                                                field->name = p_strdup(pool, name);
                                        }
Mirror of https://github.com/dovecot/core.git