CDRIVER-5550 fix crash when password is empty (#1586)

kevinAlbs · web-flow · commit 5959f64fe61e · 2024-05-01T05:34:46.000-04:00
* add regression test * CDRIVER-5550 fix crash when password is empty Default `scram->pass` to empty string
diff --git a/src/libmongoc/src/mongoc/mongoc-scram.c b/src/libmongoc/src/mongoc/mongoc-scram.c
@@ -341,6 +341,11 @@ _mongoc_scram_start (
       goto FAIL;
    }
 
+   if (!scram->pass) {
+      // Apply an empty string as a default.
+      scram->pass = bson_strdup ("");
+   }
+
    /* auth message is as big as the outbuf just because */
    scram->auth_message = (uint8_t *) bson_malloc (outbufmax);
    scram->auth_messagemax = outbufmax;
@@ -994,6 +999,7 @@ _mongoc_scram_step (mongoc_scram_t *scram,
 bool
 _mongoc_sasl_prep_required (const char *str)
 {
+   BSON_ASSERT_PARAM (str);
    unsigned char c;
    while (*str) {
       c = (unsigned char) *str;
diff --git a/src/libmongoc/tests/test-mongoc-scram.c b/src/libmongoc/tests/test-mongoc-scram.c
@@ -718,6 +718,25 @@ test_mongoc_saslprep_auth (void *ctx)
    _drop_saslprep_users ();
 }
 
+// `test_mongoc_scram_empty_password` is a regression test for CDRIVER-5550.
+static void
+test_mongoc_scram_empty_password (void *ctx)
+{
+   BSON_UNUSED (ctx);
+   char *user = test_framework_get_admin_user ();
+   char *uri_str = test_framework_get_uri_str_no_auth ("admin");
+   mongoc_uri_t *uri = mongoc_uri_new (uri_str);
+   mongoc_uri_set_username (uri, user);
+
+   // Expect an auth failure (not a crash):
+   _try_auth_from_uri (false /* pooled */, uri, MONGOC_TEST_AUTH_ERROR);
+   _try_auth_from_uri (true /* pooled */, uri, MONGOC_TEST_AUTH_ERROR);
+
+   mongoc_uri_destroy (uri);
+   bson_free (uri_str);
+   bson_free (user);
+}
+
 void
 test_scram_install (TestSuite *suite)
 {
@@ -751,4 +770,12 @@ test_scram_install (TestSuite *suite)
                       test_framework_skip_if_no_auth,
                       _skip_if_no_sha256,
                       TestSuite_CheckLive);
+   TestSuite_AddFull (suite,
+                      "/scram/empty_password",
+                      test_mongoc_scram_empty_password,
+                      NULL /* dtor */,
+                      NULL /* ctx */,
+                      test_framework_skip_if_no_auth,
+                      _skip_if_no_sha256,
+                      TestSuite_CheckLive);
 }
