From 6647866bfb9375437b4a4784f8dc72e4f439a220 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Tue, 28 Oct 2025 14:47:05 +0100
Subject: [PATCH] lib-sasl: server - Enforce absolute limit on the length of
 authid/authzid

OSS-Fuzz report: 455796070
---
 src/lib-sasl/sasl-common.h         |  1 +
 src/lib-sasl/sasl-server-request.c | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/src/lib-sasl/sasl-common.h b/src/lib-sasl/sasl-common.h
index fff7373b3c..70b36007f0 100644
--- a/src/lib-sasl/sasl-common.h
+++ b/src/lib-sasl/sasl-common.h
@@ -6,6 +6,7 @@
  */
 
 #define SASL_MAX_MESSAGE_SIZE (64 * 1024)
+#define SASL_MAX_AUTHID_SIZE 1024
 
 /*
  * Mechanism security flags
diff --git a/src/lib-sasl/sasl-server-request.c b/src/lib-sasl/sasl-server-request.c
index 7cfc4abc3d..6f2ccb9431 100644
--- a/src/lib-sasl/sasl-server-request.c
+++ b/src/lib-sasl/sasl-server-request.c
@@ -266,6 +266,13 @@ bool sasl_server_request_set_authid(struct sasl_server_mech_request *mreq,
 	struct sasl_server *server = req->sinst->server;
 	const struct sasl_server_request_funcs *funcs = server->funcs;
 
+	if (strlen(authid) > (size_t)SASL_MAX_AUTHID_SIZE) {
+		e_debug(req->event, "Failed to set authid: "
+			"Maximum length exceeded (> %d)", SASL_MAX_AUTHID_SIZE);
+		req->failed = TRUE;
+		return FALSE;
+	}
+
 	mreq->authid = p_strdup(req->pool, authid);
 
 	i_assert(req->rctx != NULL);
@@ -288,6 +295,13 @@ bool sasl_server_request_set_authzid(struct sasl_server_mech_request *mreq,
 	struct sasl_server *server = req->sinst->server;
 	const struct sasl_server_request_funcs *funcs = server->funcs;
 
+	if (strlen(authzid) > (size_t)SASL_MAX_AUTHID_SIZE) {
+		e_debug(req->event, "Failed to set authzid: "
+			"Maximum length exceeded (> %d)", SASL_MAX_AUTHID_SIZE);
+		req->failed = TRUE;
+		return FALSE;
+	}
+
 	i_assert(req->rctx != NULL);
 	i_assert(funcs->request_set_authzid != NULL);
 	if (!funcs->request_set_authzid(req->rctx, authzid)) {
-- 
2.47.3