lib-auth: scram - Ensure client proof field syntax before validation

author Karl Fleischmann <karl.fleischmann@open-xchange.com>

Fri, 1 May 2026 07:11:15 +0000 (09:11 +0200)

committer Karl Fleischmann <karl.fleischmann@open-xchange.com>

Wed, 6 May 2026 12:35:39 +0000 (14:35 +0200)
author Karl Fleischmann <karl.fleischmann@open-xchange.com>
Fri, 1 May 2026 07:11:15 +0000 (09:11 +0200)
committer Karl Fleischmann <karl.fleischmann@open-xchange.com>
Wed, 6 May 2026 12:35:39 +0000 (14:35 +0200)
diff --git a/src/lib-auth/auth-scram-server.c b/src/lib-auth/auth-scram-server.c

index 008a819720d249dfdcc92097f7d92fd2f4b3737e..60b8a476af5312b36f84f42c428e47d02af065f8 100644 (file)
--- a/src/lib-auth/auth-scram-server.c
+++ b/src/lib-auth/auth-scram-server.c
@@ -422,7 +422,13 @@ auth_scram_parse_client_final(struct auth_scram_server *server,
         /* proof           = "p=" base64
          */
         if (fields[field_count-1][0] == 'p') {
-               size_t len = strlen(&fields[field_count-1][2]);
+               size_t len = strlen(fields[field_count - 1]);
+
+               if (len < 3 || fields[field_count-1][1] != '=') {
+                       *error_r = "Invalid ClientProof";
+                       return -1;
+               }
+               len -= 2;
  
                 server->proof = buffer_create_dynamic(server->pool,
                                         MAX_BASE64_DECODED_SIZE(len));
author	Karl Fleischmann <karl.fleischmann@open-xchange.com>
	Fri, 1 May 2026 07:11:15 +0000 (09:11 +0200)
committer	Karl Fleischmann <karl.fleischmann@open-xchange.com>
	Wed, 6 May 2026 12:35:39 +0000 (14:35 +0200)