From: Evgeny Grin <k2k@narod.ru>
Date: Wed, 25 May 2022 15:51:19 +0000 (+0300)
Subject: digest: tolerate missing "realm"
X-Git-Tag: curl-7_84_0~98
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f59508e6cdebb74c0d8c4bacee44a79c8209ac68;p=thirdparty%2Fcurl.git

digest: tolerate missing "realm"

Server headers may not define "realm", avoid NULL pointer dereference
in such cases.

Closes #8912
---

diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c
index 3539bdfc36..43b8ad846f 100644
--- a/lib/vauth/digest.c
+++ b/lib/vauth/digest.c
@@ -695,7 +695,7 @@ static CURLcode auth_create_digest_http_message(
   }
 
   if(digest->userhash) {
-    hashthis = aprintf("%s:%s", userp, digest->realm);
+    hashthis = aprintf("%s:%s", userp, digest->realm ? digest->realm : "");
     if(!hashthis)
       return CURLE_OUT_OF_MEMORY;
 
@@ -715,7 +715,8 @@ static CURLcode auth_create_digest_http_message(
            unq(nonce-value) ":" unq(cnonce-value)
   */
 
-  hashthis = aprintf("%s:%s:%s", userp, digest->realm, passwdp);
+  hashthis = aprintf("%s:%s:%s", userp, digest->realm ? digest->realm : "",
+                     passwdp);
   if(!hashthis)
     return CURLE_OUT_OF_MEMORY;
 
@@ -804,7 +805,13 @@ static CURLcode auth_create_digest_http_message(
   userp_quoted = auth_digest_string_quoted(digest->userhash ? userh : userp);
   if(!userp_quoted)
     return CURLE_OUT_OF_MEMORY;
-  realm_quoted = auth_digest_string_quoted(digest->realm);
+  if(digest->realm)
+    realm_quoted = auth_digest_string_quoted(digest->realm);
+  else {
+    realm_quoted = malloc(1);
+    if(realm_quoted)
+      realm_quoted[0] = 0;
+  }
   if(!realm_quoted) {
     free(userp_quoted);
     return CURLE_OUT_OF_MEMORY;