From 5d72a1dd1e2fdaec676569559b6f483682495a4e Mon Sep 17 00:00:00 2001
From: "C. McEnroe" <june@causal.agency>
Date: Mon, 30 Aug 2021 17:40:49 -0400
Subject: Correct handling of colons in SASL PLAIN

Only the first colon should be replaced with a null byte.
---
 state.c | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/state.c b/state.c
index edc4b92..e1b49c9 100644
--- a/state.c
+++ b/state.c
@@ -60,22 +60,21 @@ void stateLogin(
 	const char *pass, enum Cap blind, const char *plain,
 	const char *nick, const char *user, const char *real
 ) {
-	serverFormat("CAP LS 302\r\n");
-	if (pass) serverFormat("PASS :%s\r\n", pass);
-	if (blind) serverFormat("CAP REQ :%s\r\n", capList(blind, NULL));
 	if (plain) {
-		byte buf[AuthLen];
+		byte buf[AuthLen] = {0};
 		size_t len = 1 + strlen(plain);
-		if (sizeof(buf) < len) {
-			errx(EX_SOFTWARE, "SASL PLAIN is too long");
-		}
-		buf[0] = 0;
-		for (size_t i = 0; plain[i]; ++i) {
-			buf[1 + i] = (plain[i] == ':' ? 0 : plain[i]);
-		}
+		if (len > sizeof(buf)) errx(EX_CONFIG, "SASL PLAIN too long");
+		memcpy(&buf[1], plain, len - 1);
+		byte *sep = memchr(buf, ':', len);
+		if (!sep) errx(EX_CONFIG, "SASL PLAIN missing colon");
+		*sep = 0;
 		base64(plainBase64, buf, len);
-		explicit_bzero(buf, sizeof(buf));
+		explicit_bzero(buf, len);
 	}
+
+	serverFormat("CAP LS 302\r\n");
+	if (pass) serverFormat("PASS :%s\r\n", pass);
+	if (blind) serverFormat("CAP REQ :%s\r\n", capList(blind, NULL));
 	serverFormat("NICK %s\r\n", nick);
 	serverFormat("USER %s 0 * :%s\r\n", user, real);
 }
-- 
cgit 1.4.1