From 943166fed3d1b8ce6a73b6a1de5de5338dda1428 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 25 Sep 2025 11:30:24 +0200
Subject: [PATCH] socks_sspi: bail out on too long fields

A probably unnecessary precaution but since the field sizes are 16 bit in the
protocol this makes sure to fail if they would ever be larger as that would go
wrong.

Reported in Joshua's sarif data

Closes #18719
---
 lib/socks_sspi.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/lib/socks_sspi.c b/lib/socks_sspi.c
index 6afc3eac34..16e22d1f39 100644
--- a/lib/socks_sspi.c
+++ b/lib/socks_sspi.c
@@ -193,6 +193,11 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
     if(sspi_send_token.cbBuffer) {
       socksreq[0] = 1;    /* GSS-API subnegotiation version */
       socksreq[1] = 1;    /* authentication message type */
+      if(sspi_send_token.cbBuffer > 0xffff) {
+        /* needs to fit in an unsigned 16 bit field */
+        result = CURLE_COULDNT_CONNECT;
+        goto error;
+      }
       us_length = htons((unsigned short)sspi_send_token.cbBuffer);
       memcpy(socksreq + 2, &us_length, sizeof(short));
 
@@ -399,9 +404,13 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
       goto error;
     }
 
-    etbuf_size = sspi_w_token[0].cbBuffer +
-                 sspi_w_token[1].cbBuffer +
-                 sspi_w_token[2].cbBuffer;
+    etbuf_size = sspi_w_token[0].cbBuffer + sspi_w_token[1].cbBuffer +
+      sspi_w_token[2].cbBuffer;
+    if(etbuf_size > 0xffff) {
+      /* needs to fit in an unsigned 16 bit field */
+      result = CURLE_COULDNT_CONNECT;
+      goto error;
+    }
     etbuf = malloc(etbuf_size);
     if(!etbuf) {
       result = CURLE_OUT_OF_MEMORY;
-- 
2.47.3