From 80258309b26546e27837432b0121f4e65e74b030 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 30 Oct 2025 14:42:03 +0100
Subject: [PATCH] lib: reduce memcpy calls

socks_gssapi: the malloc + memcpy was superflous and can be skipped

cleartext: avoid malloc + three memcpy with aprintf()

digest_sspi: use memdup0 instead of malloc + memcpy

vtls: use memdup0 instead of malloc + memcpy

Closes #19282
---
 lib/socks_gssapi.c      | 16 +++-------------
 lib/vauth/cleartext.c   | 39 ++++++++++++++-------------------------
 lib/vauth/digest_sspi.c | 13 ++-----------
 lib/vtls/vtls.c         |  5 ++---
 4 files changed, 21 insertions(+), 52 deletions(-)

diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c
index 34380ae9a0..929132f570 100644
--- a/lib/socks_gssapi.c
+++ b/lib/socks_gssapi.c
@@ -126,7 +126,6 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
   gss_name_t       server = GSS_C_NO_NAME;
   gss_name_t       gss_client_name = GSS_C_NO_NAME;
   unsigned short   us_length;
-  char             *user = NULL;
   unsigned char socksreq[4]; /* room for GSS-API exchange header only */
   const char *serviceptr = data->set.str[STRING_PROXY_SERVICE_NAME] ?
                            data->set.str[STRING_PROXY_SERVICE_NAME] : "rcmd";
@@ -327,21 +326,12 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
     failf(data, "Failed to determine username.");
     return CURLE_COULDNT_CONNECT;
   }
-  user = malloc(gss_send_token.length + 1);
-  if(!user) {
-    Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL);
-    gss_release_name(&gss_status, &gss_client_name);
-    gss_release_buffer(&gss_status, &gss_send_token);
-    return CURLE_OUT_OF_MEMORY;
-  }
 
-  memcpy(user, gss_send_token.value, gss_send_token.length);
-  user[gss_send_token.length] = '\0';
+  infof(data, "SOCKS5 server authenticated user %.*s with GSS-API.",
+        (int)gss_send_token.length, (char *)gss_send_token.value);
+
   gss_release_name(&gss_status, &gss_client_name);
   gss_release_buffer(&gss_status, &gss_send_token);
-  infof(data, "SOCKS5 server authenticated user %s with GSS-API.",user);
-  free(user);
-  user = NULL;
 
   /* Do encryption */
   socksreq[0] = 1;    /* GSS-API subnegotiation version */
diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
index dcfb13912d..884ebce0f2 100644
--- a/lib/vauth/cleartext.c
+++ b/lib/vauth/cleartext.c
@@ -62,35 +62,24 @@ CURLcode Curl_auth_create_plain_message(const char *authzid,
                                         const char *passwd,
                                         struct bufref *out)
 {
-  char *plainauth;
-  size_t plainlen;
-  size_t zlen;
-  size_t clen;
-  size_t plen;
+  size_t len;
+  char *auth;
 
-  zlen = (authzid == NULL ? 0 : strlen(authzid));
-  clen = strlen(authcid);
-  plen = strlen(passwd);
+  size_t zlen = (authzid == NULL ? 0 : strlen(authzid));
+  size_t clen = strlen(authcid);
+  size_t plen = strlen(passwd);
 
-  /* Compute binary message length. Check for overflows. */
-  if((zlen > SIZE_MAX/4) || (clen > SIZE_MAX/4) ||
-     (plen > (SIZE_MAX/2 - 2)))
-    return CURLE_OUT_OF_MEMORY;
-  plainlen = zlen + clen + plen + 2;
+  if((zlen > CURL_MAX_INPUT_LENGTH) || (clen > CURL_MAX_INPUT_LENGTH) ||
+     (plen > CURL_MAX_INPUT_LENGTH))
+    return CURLE_TOO_LARGE;
 
-  plainauth = malloc(plainlen + 1);
-  if(!plainauth)
-    return CURLE_OUT_OF_MEMORY;
+  len = zlen + clen + plen + 2;
 
-  /* Calculate the reply */
-  if(zlen)
-    memcpy(plainauth, authzid, zlen);
-  plainauth[zlen] = '\0';
-  memcpy(plainauth + zlen + 1, authcid, clen);
-  plainauth[zlen + clen + 1] = '\0';
-  memcpy(plainauth + zlen + clen + 2, passwd, plen);
-  plainauth[plainlen] = '\0';
-  Curl_bufref_set(out, plainauth, plainlen, curl_free);
+  auth = curl_maprintf("%s%c%s%c%s", authzid ? authzid : "", '\0',
+                       authcid, '\0', passwd);
+  if(!auth)
+    return CURLE_OUT_OF_MEMORY;
+  Curl_bufref_set(out, auth, len, curl_free);
   return CURLE_OK;
 }
 
diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c
index 5bf3770565..9441ee26fc 100644
--- a/lib/vauth/digest_sspi.c
+++ b/lib/vauth/digest_sspi.c
@@ -629,24 +629,15 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
     Curl_sspi_free_identity(p_identity);
   }
 
-  resp = malloc(output_token_len + 1);
+  resp = Curl_memdup0((const char *)output_token, output_token_len);
+  free(output_token);
   if(!resp) {
-    free(output_token);
-
     return CURLE_OUT_OF_MEMORY;
   }
 
-  /* Copy the generated response */
-  memcpy(resp, output_token, output_token_len);
-  resp[output_token_len] = 0;
-
   /* Return the response */
   *outptr = resp;
   *outlen = output_token_len;
-
-  /* Free the response buffer */
-  free(output_token);
-
   return CURLE_OK;
 }
 
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 3cd60e91b9..22d820b160 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -75,6 +75,7 @@
 #include "../select.h"
 #include "../setopt.h"
 #include "../rand.h"
+#include "../strdup.h"
 
 #ifdef USE_APPLE_SECTRUST
 #include <Security/Security.h>
@@ -2060,11 +2061,9 @@ CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
       result = CURLE_SSL_CONNECT_ERROR;
       goto out;
     }
-    connssl->negotiated.alpn = malloc(proto_len + 1);
+    connssl->negotiated.alpn = Curl_memdup0((const char *)proto, proto_len);
     if(!connssl->negotiated.alpn)
       return CURLE_OUT_OF_MEMORY;
-    memcpy(connssl->negotiated.alpn, proto, proto_len);
-    connssl->negotiated.alpn[proto_len] = 0;
   }
 
   if(proto && proto_len) {
-- 
2.47.3