From e04a67610adeea29541078cbc9e0cf9dab659e6b Mon Sep 17 00:00:00 2001
From: Guido Kiener <guido.kiener@rohde-schwarz.com>
Date: Fri, 1 Dec 2023 16:19:27 +0100
Subject: [PATCH] Fix heap corruption

Calculation of resultlen is wrong. E.g. if server allows
only one mechanism SCRAM-SHA-256, the expected string for the
mechlist_buf is "SCRAM-SHA-256-PLUS SCRAM-SHA-256" with a required
size of 33 bytes and not 32 bytes.
Note that (strlen(mysep) * (s_conn->mech_length - 1) * 2) = 0
when s_conn->mech_length = 1.

Signed-off-by: Guido Kiener <guido.kiener@rohde-schwarz.com>
---
 lib/server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/server.c b/lib/server.c
index c69e58b8..b44155f4 100644
--- a/lib/server.c
+++ b/lib/server.c
@@ -1764,7 +1764,7 @@ int _sasl_server_listmech(sasl_conn_t *conn,
       INTERROR(conn, SASL_NOMECH);
 
   resultlen = (prefix ? strlen(prefix) : 0)
-            + (strlen(mysep) * (s_conn->mech_length - 1) * 2)
+            + (strlen(mysep) * (s_conn->mech_length * 2 - 1))
 	    + (mech_names_len(s_conn->mech_list) * 2) /* including -PLUS variant */
 	    + (s_conn->mech_length * (sizeof("-PLUS") - 1))
             + (suffix ? strlen(suffix) : 0)
-- 
2.33.0