Enforce some hard limits on SASL mechanism length.

Author: dustin

memcached.c

@@ -1526,6 +1526,12 @@ static void process_bin_sasl_auth(conn *c) {
     int nkey = c->binary_header.request.keylen;
     int vlen = c->binary_header.request.bodylen - nkey;
 
+    if (nkey > MAX_SASL_MECH_LEN) {
+        write_bin_error(c, PROTOCOL_BINARY_RESPONSE_EINVAL, vlen);
+        c->write_and_go = conn_swallow;
+        return;
+    }
+
     char *key = binary_get_key(c);
     assert(key);
 

sasl_defs.h

@@ -1,6 +1,9 @@
 #ifndef SASL_DEFS_H
 #define SASL_DEFS_H 1
 
+// Longest one I could find was ``9798-U-RSA-SHA1-ENC''
+#define MAX_SASL_MECH_LEN 32
+
 #if defined(HAVE_SASL_SASL_H) && defined(ENABLE_SASL)
 
 #include <sasl/sasl.h>

t/binary-sasl.t

@@ -12,7 +12,7 @@ my $supports_sasl = supports_sasl();
 use Test::More;
 
 if (supports_sasl()) {
-    plan tests => 19;
+    plan tests => 20;
 } else {
     plan tests => 1;
     eval {
@@ -161,6 +161,9 @@ system("echo testpass | saslpasswd2 -a memcached -c -p testuser");
 
 $mc = MC::Client->new;
 
+# Attempt a bad auth mech.
+is ($mc->authenticate('testuser', 'testpass', "X" x 40), 0x4, "bad mech");
+
 # Attempt bad authentication.
 is ($mc->authenticate('testuser', 'wrongpassword'), 0x20, "bad auth");
 
@@ -221,9 +224,10 @@ sub new {
 }
 
 sub authenticate {
-    my ($self, $user, $pass)= @_;
+    my ($self, $user, $pass, $mech)= @_;
+    $mech ||= 'PLAIN';
     my $buf = sprintf("%c%s%c%s", 0, $user, 0, $pass);
-    my ($status, $rv, undef) = $self->_do_command(::CMD_SASL_AUTH, "PLAIN", $buf, '');
+    my ($status, $rv, undef) = $self->_do_command(::CMD_SASL_AUTH, $mech, $buf, '');
     return $status;
 }
 sub list_mechs {