CDRIVER-6134 check SASL username length #2156

kevinAlbs · 2025-10-22T18:54:03Z

Summary

Check SASL username length. See CDRIVER-6134 and linked tickets for more information.

Background

Cyrus-SASL 2.1.28 documents expected behavior of the callback:

int sasl_canon_user_t(sasl_conn_t *conn, void *context, const char *user, unsigned ulen,
                      unsigned flags, const char *user_realm, char *out_user,
                      unsigned out_umax, unsigned *out_ulen)

out_umax – Maximum length for out_user

Cyrus-SASL source suggests out_user is a buffer of size out_umax+1. However, since this does not appear clearly documented, this implementation assumes a size of out_umax.

Check in callback. Reject too-large username.

vector-of-bool

LGTM

CDRIVER-6134 check SASL username length

060f8da

Check in callback. Reject too-large username.

kevinAlbs requested a review from a team as a code owner October 22, 2025 18:54

kevinAlbs requested a review from vector-of-bool October 22, 2025 18:54

vector-of-bool approved these changes Oct 22, 2025

View reviewed changes

kevinAlbs merged commit b498496 into mongodb:master Oct 22, 2025
44 of 46 checks passed

kevinAlbs mentioned this pull request Oct 22, 2025

CDRIVER-6134 check overflow #2159

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CDRIVER-6134 check SASL username length #2156

CDRIVER-6134 check SASL username length #2156

Uh oh!

kevinAlbs commented Oct 22, 2025

Uh oh!

vector-of-bool left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

CDRIVER-6134 check SASL username length #2156

CDRIVER-6134 check SASL username length #2156

Uh oh!

Conversation

kevinAlbs commented Oct 22, 2025

Summary

Background

Uh oh!

vector-of-bool left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants