From f901a46f7bb581270d4c49893985ff14aa894955 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Wed, 22 Oct 2025 16:29:53 -0400 Subject: [PATCH 1/3] CDRIVER-6134 check overflow --- src/libmongoc/src/mongoc/mongoc-cyrus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libmongoc/src/mongoc/mongoc-cyrus.c b/src/libmongoc/src/mongoc/mongoc-cyrus.c index 9564f7f89b..477306077c 100644 --- a/src/libmongoc/src/mongoc/mongoc-cyrus.c +++ b/src/libmongoc/src/mongoc/mongoc-cyrus.c @@ -115,7 +115,7 @@ _mongoc_cyrus_canon_user(sasl_conn_t *conn, // `inlen` is a string length (excluding trailing NULL). // Cyrus-SASL passes an `out` buffer of size `out_max + 1`. Assume `out_max` is the max to be safe. - if (inlen + 1 >= out_max) { + if (inlen == UINT_MAX || inlen + 1 >= out_max) { MONGOC_ERROR("SASL username too large"); return SASL_BUFOVER; } From 66ee5fb9bfa046af0872e255a5c7379866130e33 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Fri, 24 Oct 2025 09:38:37 -0400 Subject: [PATCH 2/3] use `mlib_add` --- src/libmongoc/src/mongoc/mongoc-cyrus.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/libmongoc/src/mongoc/mongoc-cyrus.c b/src/libmongoc/src/mongoc/mongoc-cyrus.c index 477306077c..9bb2451cad 100644 --- a/src/libmongoc/src/mongoc/mongoc-cyrus.c +++ b/src/libmongoc/src/mongoc/mongoc-cyrus.c @@ -115,7 +115,8 @@ _mongoc_cyrus_canon_user(sasl_conn_t *conn, // `inlen` is a string length (excluding trailing NULL). // Cyrus-SASL passes an `out` buffer of size `out_max + 1`. Assume `out_max` is the max to be safe. - if (inlen == UINT_MAX || inlen + 1 >= out_max) { + unsigned inlen_1; + if (mlib_add(&inlen_1, inlen, 1) || inlen_1 + 1 >= out_max) { MONGOC_ERROR("SASL username too large"); return SASL_BUFOVER; } From ac539c238a1b7fb190b3ada73abac5473354d3e5 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Fri, 24 Oct 2025 12:28:42 -0400 Subject: [PATCH 3/3] init to 0 --- src/libmongoc/src/mongoc/mongoc-cyrus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libmongoc/src/mongoc/mongoc-cyrus.c b/src/libmongoc/src/mongoc/mongoc-cyrus.c index 9bb2451cad..45734fb07b 100644 --- a/src/libmongoc/src/mongoc/mongoc-cyrus.c +++ b/src/libmongoc/src/mongoc/mongoc-cyrus.c @@ -115,7 +115,7 @@ _mongoc_cyrus_canon_user(sasl_conn_t *conn, // `inlen` is a string length (excluding trailing NULL). // Cyrus-SASL passes an `out` buffer of size `out_max + 1`. Assume `out_max` is the max to be safe. - unsigned inlen_1; + unsigned inlen_1 = 0; if (mlib_add(&inlen_1, inlen, 1) || inlen_1 + 1 >= out_max) { MONGOC_ERROR("SASL username too large"); return SASL_BUFOVER;