From 01057d61618f68f3f77724f9be5f1abde8c29e55 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 13 Oct 2023 00:15:29 +0200
Subject: [PATCH] socks: better buffer size checks for socks4a user and
 hostname

Also limit the proxy user name to 255 bytes, which is the same limit as
in SOCKS5.

Reported-by: sd0 on hackerone
Closes #12139
---
 lib/socks.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/socks.c b/lib/socks.c
index a7b5ab07e4..6d6368c3a5 100644
--- a/lib/socks.c
+++ b/lib/socks.c
@@ -402,8 +402,11 @@ CONNECT_REQ_INIT:
     socksreq[8] = 0; /* ensure empty userid is NUL-terminated */
     if(sx->proxy_user) {
       size_t plen = strlen(sx->proxy_user);
-      if(plen >= (size_t)data->set.buffer_size - 8) {
-        failf(data, "Too long SOCKS proxy user name, can't use");
+      if(plen > 255) {
+        /* there is no real size limit to this field in the protocol, but
+           SOCKS5 limits the proxy user field to 255 bytes and it seems likely
+           that a longer field is either a mistake or malicous input */
+        failf(data, "Too long SOCKS proxy user name");
         return CURLPX_LONG_USER;
       }
       /* copy the proxy name WITH trailing zero */
@@ -426,7 +429,8 @@ CONNECT_REQ_INIT:
         socksreq[7] = 1;
         /* append hostname */
         hostnamelen = strlen(sx->hostname) + 1; /* length including NUL */
-        if(hostnamelen <= 255)
+        if((hostnamelen <= 255) &&
+           (packetsize + hostnamelen < data->set.buffer_size))
           strcpy((char *)socksreq + packetsize, sx->hostname);
         else {
           failf(data, "SOCKS4: too long host name");
-- 
2.47.3