strcmp bugs in auth.c

[vasilyrud]

@ivanpustogarov and I found a few bugs while using AFL to fuzz the first authentication step of libstrophe in SASL mode (although these issues can be applicable to the nearby TLS code as well).

For a particular initial server response, libstrophe will crash with:

received signal SIGSEGV, Segmentation fault.
in _handle_features (conn=0x61d970, stanza=<optimized out>, userdata=<optimized out>) at src/auth.c:240
240         if (child && (strcmp(xmpp_stanza_get_ns(child), XMPP_NS_SASL) == 0)) {

An example response from a server that would crash libstrophe:

<stream:stream xmlns:stream='http://etherx.jabber.org/streams'><stream:features><mechanisms></mechanisms></stream:features>

Specifically, it crashes in strcmp because strcmp receives NULL from xmpp_stanza_get_ns(child). This can be caused by there being no xmlns attribute in mechanisms.

Similarly, strcasecmp in auth.c:245 crashes if xmpp_stanza_get_text(mech) returns NULL. Example server response that triggers this is:

<?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='example.com' id='96f68a34-327c-4b69--c575112a1704' xml:lang='en' xmlns='jabber:client'><stream:features><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism></mechanism>/mechanism><mechanism>DIGEST-MD5</mechanism></mechanisms></stream:features>

[pasis]

Thanks for report, I'll take a look.

[pasis]

I've found 6 places with the related problem so far. Will make a patch soon.