os400sys: fix theoretical length overflows

When converting a `size_t` to `unsigned int`.

Another instance spotted by Copilot.

Reported-by: Gao Liyou
Ref: #21825
Closes #21840

diff --git a/projects/OS400/os400sys.c b/projects/OS400/os400sys.c
index 36ed2480ead645321ca44f31cd8d9e1b48a682f2..dbceaf62593a966178a06b5cc66fb2b03f7333f3 100644 (file)
--- a/projects/OS400/os400sys.c
+++ b/projects/OS400/os400sys.c
@@ -370,6 +370,10 @@ static int Curl_gss_convert_in_place(OM_uint32 *minor_status, gss_buffer_t buf)
   return 0;
 }
 
+/* Max string input length is a precaution against abuse and to detect junk
+   input easier and better. */
+#define CURL_MAX_INPUT_LENGTH 8000000
+
 OM_uint32 Curl_gss_import_name_a(OM_uint32 *minor_status, gss_buffer_t in_name,
                                  gss_OID in_name_type, gss_name_t *out_name)
 {
@@ -381,7 +385,14 @@ OM_uint32 Curl_gss_import_name_a(OM_uint32 *minor_status, gss_buffer_t in_name,
     return gss_import_name(minor_status, in_name, in_name_type, out_name);
 
   memcpy((char *)&in, (char *)in_name, sizeof(in));
-  i = in.length;
+  if(in.length > CURL_MAX_INPUT_LENGTH) {
+    if(minor_status)
+      /* !checksrc! disable ERRNOVAR 1 */
+      *minor_status = ENOMEM;
+
+    return GSS_S_FAILURE;
+  }
+  i = (unsigned int)in.length;
 
   in.value = malloc(i + 1);
   if(!in.value) {
@@ -445,8 +456,15 @@ Curl_gss_init_sec_context_a(OM_uint32 *minor_status,
 
   if(inp) {
     if(inp->length && inp->value) {
-      unsigned int i = inp->length;
+      unsigned int i;
+      if(inp->length > CURL_MAX_INPUT_LENGTH) {
+        if(minor_status)
+          /* !checksrc! disable ERRNOVAR 1 */
+          *minor_status = ENOMEM;
 
+        return GSS_S_FAILURE;
+      }
+      i = (unsigned int)inp->length;
       in.value = malloc(i + 1);
       if(!in.value) {
         if(minor_status)