David Cohen pointed out that RFC2109 says clients should allow cookies to

contain least 4096 bytes while libcurl only allowed 2047. I raised the limit
to 4999 now and made the used buffer get malloc()ed instead of simply
allocated on stack as before.

lib/cookie.c

@@ -149,7 +149,7 @@ Curl_cookie_add(struct SessionHandle *data,
                                     unless set */
 {
   struct Cookie *clist;
-  char what[MAX_COOKIE_LINE];
+  char *what;
   char name[MAX_NAME];
   char *ptr;
   char *semiptr;
@@ -167,6 +167,13 @@ Curl_cookie_add(struct SessionHandle *data,
   if(httpheader) {
     /* This line was read off a HTTP-header */
     char *sep;
+
+    what = malloc(MAX_COOKIE_LINE);
+    if(!what) {
+      free(co);
+      return NULL;
+    }
+
     semiptr=strchr(lineptr, ';'); /* first, find a semicolon */
 
     while(*lineptr && isspace((int)*lineptr))
@@ -387,6 +394,8 @@ Curl_cookie_add(struct SessionHandle *data,
       }
     }
 
+    free(what);
+
     if(badcookie || !co->name) {
       /* we didn't get a cookie name or a bad one,
          this is an illegal line, bail out */

lib/cookie.h

@@ -60,13 +60,20 @@ struct CookieInfo {
   bool newsession; /* new session, discard session cookies on load */
 };
 
-/* This is the maximum line length we accept for a cookie line */
-#define MAX_COOKIE_LINE 2048
-#define MAX_COOKIE_LINE_TXT "2047"
+/* This is the maximum line length we accept for a cookie line. RFC 2109
+   section 6.3 says:
+
+   "at least 4096 bytes per cookie (as measured by the size of the characters
+   that comprise the cookie non-terminal in the syntax description of the
+   Set-Cookie header)"
+
+*/
+#define MAX_COOKIE_LINE 5000
+#define MAX_COOKIE_LINE_TXT "4999"
 
 /* This is the maximum length of a cookie name we deal with: */
-#define MAX_NAME 256
-#define MAX_NAME_TXT "255"
+#define MAX_NAME 1024
+#define MAX_NAME_TXT "1023"
 
 struct SessionHandle;
 /*