[7.0.2 Cherry-pick] Add TDS token data length bounds checks (#4340)

[github-actions]

Cherry-pick of #4340 to release/7.0

This is a cherry-pick of #4340 (commit b6c0569) onto the release/7.0 branch for the 7.0.2 hotfix.

Summary

Adds bounds checks on data lengths read from the TDS wire to prevent unbounded byte[] allocation from a malicious server.

All checks throw SQL.ParsingErrorLength(ParsingErrorState.CorruptedTdsStream, ...) when a spoofed length exceeds protocol-reasonable maximums.

Changes

File	Change
TdsEnums.cs	New constants: MaxTokenDataLength (1 MB), MaxPromoteTransactionLength (64 KB), MaxDateTimeLength (10)
SqlUtil.cs	New ParsingErrorLength() helper
TdsParser.cs	7 bounds-check sites: session state total/inner length, fed auth info token length, promote transaction newLength, feature ext ack data length, datetime length, return value non-PLP length, binary/vector length
SqlConnectionInternal.cs	Pass loginTimeout into TdsParser for connection-level timeout propagation
GenericTdsServer.cs	New FeatureExtAckDataOverride + FeatureExtAckFeatureIdOverride properties for test injection
TdsTokenBoundsTests.cs	New — 1,051 lines of tests covering all bounds-check sites
FeatureExtAckBoundsTests.cs	New — 163 lines testing feature ext ack bounds
Various Connection*Tests.cs	Minor: whitespace fixes, comment updates

Cherry-pick resolution notes

The cherry-pick required manual conflict resolution in TdsParser.cs due to differences between main and release/7.0:

• Trailing whitespace that was already cleaned on main but still present on release/7.0 (fixed as part of this cherry-pick)
• The SQLVECTOR case used an older two-line allocation pattern (byte[] b = new byte[length] + out b) which was updated to the inline out byte[] b form consistent with the bounds-check pattern

All substantive logic changes from the original PR are present and verified.

[paulmedynski]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[Copilot]

Pull request overview

Cherry-picks the TDS token-length bounds checking work onto release/7.0 to harden the client against malicious servers sending spoofed lengths that could otherwise trigger unbounded byte[] allocations.

Changes:

• Adds new protocol-reasonable maximums in TdsEnums and applies new length bounds checks in multiple TDS parsing sites.
• Introduces a SQL.ParsingErrorLength(..., uint) helper overload to report oversized lengths consistently.
• Extends the simulated TDS server test infrastructure and adds new unit tests to validate the new bounds checks.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/Microsoft.Data.SqlClient/tests/UnitTests/SimulatedServerTests/TdsTokenBoundsTests.cs	Adds simulated-server tests for multiple new bounds-check sites.
src/Microsoft.Data.SqlClient/tests/UnitTests/SimulatedServerTests/FeatureExtensionNegotiationTests.cs	Adds clarification comment for serialized test collection usage.
src/Microsoft.Data.SqlClient/tests/UnitTests/SimulatedServerTests/FeatureExtAckBoundsTests.cs	Adds bounds tests for FeatureExtAck token data length.
src/Microsoft.Data.SqlClient/tests/UnitTests/SimulatedServerTests/ConnectionRoutingTestsAzure.cs	Whitespace/comment updates.
src/Microsoft.Data.SqlClient/tests/UnitTests/SimulatedServerTests/ConnectionRoutingTests.cs	Whitespace/comment updates.
src/Microsoft.Data.SqlClient/tests/UnitTests/SimulatedServerTests/ConnectionReadOnlyRoutingTests.cs	Whitespace/comment updates.
src/Microsoft.Data.SqlClient/tests/UnitTests/SimulatedServerTests/ConnectionFailoverTests.cs	Whitespace/comment updates.
src/Microsoft.Data.SqlClient/tests/UnitTests/SimulatedServerTests/ConnectionEnhancedRoutingTests.cs	Comment update about test collection serialization.
src/Microsoft.Data.SqlClient/tests/tools/TDS/TDS.Servers/GenericTdsServer.cs	Adds OnSQLBatchCompleted hook to enable post-login token injection in tests.
src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/TdsParser.cs	Adds bounds checks in parser paths to prevent unsafe allocations from spoofed lengths.
src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/TdsEnums.cs	Adds new max-length constants used by parser bounds checks.
src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlUtil.cs	Adds ParsingErrorLength(..., uint) helper overload.
src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/Connection/SqlConnectionInternal.cs	Adds bounds check preventing out-of-range copy in SRECOVERY parsing.

[paulmedynski]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.79%. Comparing base (778614a) to head (8296c4a).

❗ There is a different number of reports uploaded between BASE (778614a) and HEAD (8296c4a). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (778614a)	HEAD (8296c4a)
CI-SqlClient	1	0

Additional details and impacted files

@@               Coverage Diff               @@
##           release/7.0    #4358      +/-   ##
===============================================
- Coverage        73.11%   65.79%   -7.33%     
===============================================
  Files              280      275       -5     
  Lines            43026    65883   +22857     
===============================================
+ Hits             31457    43345   +11888     
- Misses           11569    22538   +10969     

Flag	Coverage Δ
CI-SqlClient	?
PR-SqlClient-Project	65.79% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.