lib-sasl: server - Enforce absolute limit on the length of authid/authzid

OSS-Fuzz report: 455796070

diff --git a/src/lib-sasl/sasl-common.h b/src/lib-sasl/sasl-common.h
index fff7373b3c31df09523ed9ea912ccd72acfda3ce..70b36007f08bc8706c8fc6df1501cca3c5bb28e1 100644 (file)
--- a/src/lib-sasl/sasl-common.h
+++ b/src/lib-sasl/sasl-common.h
@@ -6,6 +6,7 @@
  */
 
 #define SASL_MAX_MESSAGE_SIZE (64 * 1024)
+#define SASL_MAX_AUTHID_SIZE 1024
 
 /*
  * Mechanism security flags

diff --git a/src/lib-sasl/sasl-server-request.c b/src/lib-sasl/sasl-server-request.c
index 7cfc4abc3d493e5073475aa83292efa4ad5752f1..6f2ccb94311b3f1de3e70af39b55dd33df67727a 100644 (file)
--- a/src/lib-sasl/sasl-server-request.c
+++ b/src/lib-sasl/sasl-server-request.c
@@ -266,6 +266,13 @@ bool sasl_server_request_set_authid(struct sasl_server_mech_request *mreq,
        struct sasl_server *server = req->sinst->server;
        const struct sasl_server_request_funcs *funcs = server->funcs;
 
+       if (strlen(authid) > (size_t)SASL_MAX_AUTHID_SIZE) {
+               e_debug(req->event, "Failed to set authid: "
+                       "Maximum length exceeded (> %d)", SASL_MAX_AUTHID_SIZE);
+               req->failed = TRUE;
+               return FALSE;
+       }
+
        mreq->authid = p_strdup(req->pool, authid);
 
        i_assert(req->rctx != NULL);
@@ -288,6 +295,13 @@ bool sasl_server_request_set_authzid(struct sasl_server_mech_request *mreq,
        struct sasl_server *server = req->sinst->server;
        const struct sasl_server_request_funcs *funcs = server->funcs;
 
+       if (strlen(authzid) > (size_t)SASL_MAX_AUTHID_SIZE) {
+               e_debug(req->event, "Failed to set authzid: "
+                       "Maximum length exceeded (> %d)", SASL_MAX_AUTHID_SIZE);
+               req->failed = TRUE;
+               return FALSE;
+       }
+
        i_assert(req->rctx != NULL);
        i_assert(funcs->request_set_authzid != NULL);
        if (!funcs->request_set_authzid(req->rctx, authzid)) {