[PATCH 01/24] auth: Don't disconnect auth client when invalid base64 SASL input is...

The base64 input comes from untrusted client. It shouldn't cause the auth
client to disconnect, which causes other concurrent logins to be aborted.

Broken by 1486c30e191ff079bfa78e7950173bb33d8073d9

Gbp-Pq: Name CVE-2025-59028.patch

diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c
index 35acb240b99393464370efe84bdd5565e1314dc5..c0169c84a3f7d19a43092b285ccff5893f1ea2cf 100644 (file)
--- a/src/auth/auth-request-handler.c
+++ b/src/auth/auth-request-handler.c
@@ -715,6 +715,9 @@ int auth_request_handler_auth_begin(struct auth_request_handler *handler,
                        auth_request_handler_auth_fail_code(handler, request,
                                AUTH_CLIENT_FAIL_CODE_INVALID_BASE64,
                                "Invalid base64 data in initial response");
+                       /* The base64 input came from untrusted client. It's
+                          an expected auth failure, so don't disconnect the
+                          auth client. */
                        return 1;
                }
                initial_resp_data =
@@ -787,7 +790,10 @@ int auth_request_handler_auth_continue(struct auth_request_handler *handler,
                        auth_request_handler_auth_fail_code(handler, request,
                                AUTH_CLIENT_FAIL_CODE_INVALID_BASE64,
                                "Invalid base64 data in continued response");
-                       return -1;
+                       /* The base64 input came from untrusted client. It's
+                          an expected auth failure, so don't disconnect the
+                          auth client. */
+                       return 1;
                }
        }