From c56f9797e7feb7c2dc93bc389d4b85cc75220d77 Mon Sep 17 00:00:00 2001
From: Jonathan Nieder <jrnieder@gmail.com>
Date: Mon, 19 Aug 2013 00:36:53 -0700
Subject: sasl: allow arbitrarily long username and password

Use appropriately sized buffers on the heap instead of fixed-size
buffers on the stack, to allow for longer usernames and passwords.

Callers never pass anything longer than MAX_CURL_USER_LENGTH (resp.
MAX_CURL_PASSWORD_LENGTH), so no functional change inteded yet.
---
 lib/curl_sasl.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

(limited to 'lib/curl_sasl.c')

diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index fcb001948..924be4bbc 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -94,18 +94,18 @@ CURLcode Curl_sasl_create_plain_message(struct SessionHandle *data,
                                         const char *passwdp,
                                         char **outptr, size_t *outlen)
 {
-  char plainauth[2 * MAX_CURL_USER_LENGTH + MAX_CURL_PASSWORD_LENGTH];
+  CURLcode result;
+  char *plainauth;
   size_t ulen;
   size_t plen;
 
   ulen = strlen(userp);
   plen = strlen(passwdp);
 
-  if(2 * ulen + plen + 2 > sizeof(plainauth)) {
+  plainauth = malloc(2 * ulen + plen + 2);
+  if(!plainauth) {
     *outlen = 0;
     *outptr = NULL;
-
-    /* Plainauth too small */
     return CURLE_OUT_OF_MEMORY;
   }
 
@@ -117,8 +117,10 @@ CURLcode Curl_sasl_create_plain_message(struct SessionHandle *data,
   memcpy(plainauth + 2 * ulen + 2, passwdp, plen);
 
   /* Base64 encode the reply */
-  return Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr,
-                            outlen);
+  result = Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr,
+                              outlen);
+  Curl_safefree(plainauth);
+  return result;
 }
 
 /*
@@ -190,7 +192,7 @@ CURLcode Curl_sasl_create_cram_md5_message(struct SessionHandle *data,
   size_t chlglen = 0;
   HMAC_context *ctxt;
   unsigned char digest[MD5_DIGEST_LEN];
-  char response[MAX_CURL_USER_LENGTH + 2 * MD5_DIGEST_LEN + 1];
+  char *response;
 
   /* Decode the challenge if necessary */
   if(chlg64len && *chlg64 != '=') {
@@ -220,14 +222,19 @@ CURLcode Curl_sasl_create_cram_md5_message(struct SessionHandle *data,
   Curl_HMAC_final(ctxt, digest);
 
   /* Prepare the response */
-  snprintf(response, sizeof(response),
+  response = aprintf(
       "%s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
            userp, digest[0], digest[1], digest[2], digest[3], digest[4],
            digest[5], digest[6], digest[7], digest[8], digest[9], digest[10],
            digest[11], digest[12], digest[13], digest[14], digest[15]);
+  if(!response)
+    return CURLE_OUT_OF_MEMORY;
 
   /* Base64 encode the reply */
-  return Curl_base64_encode(data, response, 0, outptr, outlen);
+  result = Curl_base64_encode(data, response, 0, outptr, outlen);
+
+  Curl_safefree(response);
+  return result;
 }
 
 /*
-- 
cgit v1.2.3