From f4b69012307580119409100f5934d7621ea545c9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 5 Apr 2019 22:50:22 +0200 Subject: [PATCH] socks5: user name and passwords must be shorter than 256 bytes... since the protocol needs to store the length in a single byte field. Reported-by: XmiliaH on github Fixes #3737 Closes #3740 --- lib/socks.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/lib/socks.c b/lib/socks.c index d0aba0605..906376dab 100644 --- a/lib/socks.c +++ b/lib/socks.c @@ -527,12 +527,24 @@ CURLcode Curl_SOCKS5(const char *proxy_user, len = 0; socksreq[len++] = 1; /* username/pw subnegotiation version */ socksreq[len++] = (unsigned char) proxy_user_len; - if(proxy_user && proxy_user_len) + if(proxy_user && proxy_user_len) { + /* the length must fit in a single byte */ + if(proxy_user_len >= 255) { + failf(data, "Excessive user name length for proxy auth"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } memcpy(socksreq + len, proxy_user, proxy_user_len); + } len += proxy_user_len; socksreq[len++] = (unsigned char) proxy_password_len; - if(proxy_password && proxy_password_len) + if(proxy_password && proxy_password_len) { + /* the length must fit in a single byte */ + if(proxy_password_len > 255) { + failf(data, "Excessive password length for proxy auth"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } memcpy(socksreq + len, proxy_password, proxy_password_len); + } len += proxy_password_len; code = Curl_write_plain(conn, sock, (char *)socksreq, len, &written); -- 2.40.0