From bbcc13be8b38283547883bfee4920331bea80cd1 Mon Sep 17 00:00:00 2001
From: Mahavir Jain <mahavir@espressif.com>
Date: Fri, 21 Nov 2025 15:54:14 +0530
Subject: [PATCH] fix(esp_http_client): prevent out-of-bounds read in Digest
 auth

Fixed vulnerability where malicious HTTP servers could trigger OOB reads
by sending empty or very short algorithm fields in WWW-Authenticate headers.

Changes:
- Replace unsafe memcmp() with strcasecmp() for algorithm comparison
- Add algorithm NULL validation at function entry point
- Fix duplicate md5-sess check, add missing SHA-256 check
---
 components/esp_http_client/lib/http_auth.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/components/esp_http_client/lib/http_auth.c b/components/esp_http_client/lib/http_auth.c
index 6ba025933e..862bc25665 100644
--- a/components/esp_http_client/lib/http_auth.c
+++ b/components/esp_http_client/lib/http_auth.c
@@ -122,14 +122,15 @@ char *http_auth_digest(const char *username, const char *password, esp_http_auth
             password == NULL ||
             auth_data->nonce == NULL ||
             auth_data->uri == NULL ||
-            auth_data->realm == NULL) {
+            auth_data->realm == NULL ||
+            auth_data->algorithm == NULL) {
         return NULL;
     }
 
     int digest_size = MD5_MAX_LEN;
     int (*digest_func)(char *digest, const char *fmt, ...) = md5_printf;
-    if (!memcmp(auth_data->algorithm, "SHA256", strlen("SHA256")) ||
-            !memcmp(auth_data->algorithm, "SHA-256", strlen("SHA-256"))) {
+    if (strcasecmp(auth_data->algorithm, "SHA256") == 0 ||
+            strcasecmp(auth_data->algorithm, "SHA-256") == 0) {
         digest_size = SHA256_HEX_LEN;
         digest_func = sha256_sprintf;
     }
@@ -150,7 +151,7 @@ char *http_auth_digest(const char *username, const char *password, esp_http_auth
     ESP_LOGD(TAG, "%s %s %s %s", "Digest", username, auth_data->realm, password);
     if ((strcasecmp(auth_data->algorithm, "md5-sess") == 0) ||
             (strcasecmp(auth_data->algorithm, "SHA256") == 0) ||
-            (strcasecmp(auth_data->algorithm, "md5-sess") == 0)) {
+            (strcasecmp(auth_data->algorithm, "SHA-256") == 0)) {
         if (digest_func(ha1, "%s:%s:%016llx", ha1, auth_data->nonce, auth_data->cnonce) <= 0) {
             goto _digest_exit;
         }