(krb5_realm_length(principal->realm) * 2) has no explicit type cast

[StepanGulyaev]

Hello! I was analyzing your module with Svace SAST tool and found a vulnerability here:

spnego-http-auth-nginx-module/ngx_http_auth_spnego_module.c

Lines 1384 to 1386 in 60f0811

	size_t tgs_principal_name_size =
	(ngx_strlen(KRB5_TGS_NAME) + (krb5_realm_length(principal->realm) * 2) + 2) + 1;
	tgs_principal_name = (char *)ngx_pcalloc(r->pool, tgs_principal_name_size);

krb5_realm_length returns value of length variable from principal->realm. principal->realm itself has data type krb5_data, length inside krb5_data has unsigned int type: https://web.mit.edu/kerberos/krb5-devel/doc/appdev/refs/types/krb5_data.html. So it may be an integer overflow while multiplying krb5_realm_length(principal->realm) result without cast to the larger type.

It also matters because potential integer overflow makes tgs_principal_name_size variable smaller than it have to and it leads to the loss of data here:

spnego-http-auth-nginx-module/ngx_http_auth_spnego_module.c

Lines 1388 to 1391 in 60f0811

	ngx_snprintf((u_char *)tgs_principal_name, tgs_principal_name_size,
	"%s/%*s@%*s", KRB5_TGS_NAME, krb5_realm_length(principal->realm),
	krb5_realm_data(principal->realm), krb5_realm_length(principal->realm),
	krb5_realm_data(principal->realm));

Fix itself is really simple. Hope it helps!

Found by Linux Verification Center (linuxtesting.org) with SVACE.

[Alphix]

Merged, thanks