socks_sspi: bail out on too long fields

A probably unnecessary precaution but since the field sizes are 16 bit in the
protocol this makes sure to fail if they would ever be larger as that would go
wrong.

Reported in Joshua's sarif data

Closes #18719

diff --git a/lib/socks_sspi.c b/lib/socks_sspi.c
index 6afc3eac34816bd0639ca5e52371148426a15745..16e22d1f39f5f7831cd84b29509a0d1dc4575044 100644 (file)
--- a/lib/socks_sspi.c
+++ b/lib/socks_sspi.c
@@ -193,6 +193,11 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
     if(sspi_send_token.cbBuffer) {
       socksreq[0] = 1;    /* GSS-API subnegotiation version */
       socksreq[1] = 1;    /* authentication message type */
+      if(sspi_send_token.cbBuffer > 0xffff) {
+        /* needs to fit in an unsigned 16 bit field */
+        result = CURLE_COULDNT_CONNECT;
+        goto error;
+      }
       us_length = htons((unsigned short)sspi_send_token.cbBuffer);
       memcpy(socksreq + 2, &us_length, sizeof(short));
 
@@ -399,9 +404,13 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
       goto error;
     }
 
-    etbuf_size = sspi_w_token[0].cbBuffer +
-                 sspi_w_token[1].cbBuffer +
-                 sspi_w_token[2].cbBuffer;
+    etbuf_size = sspi_w_token[0].cbBuffer + sspi_w_token[1].cbBuffer +
+      sspi_w_token[2].cbBuffer;
+    if(etbuf_size > 0xffff) {
+      /* needs to fit in an unsigned 16 bit field */
+      result = CURLE_COULDNT_CONNECT;
+      goto error;
+    }
     etbuf = malloc(etbuf_size);
     if(!etbuf) {
       result = CURLE_OUT_OF_MEMORY;