BUG/MINOR: payload: prevent integer overflow in distcc token parsing

In both smp_fetch_distcc_param() and smp_fetch_distcc_body(), the code does "ofs += body" without checking if body is larger than the remaining data. If a malicious distcc packet contains a token with a very large body length (param value up to 0xFFFFFFFF), ofs could overflow and wrap around to a small value, causing the next iteration's bounds check "ofs + 12 > ci_data(chn)" to pass incorrectly. This could lead to out-of-bounds reads or an infinite loop. Given that this is only used in trusted environments, this is mostly harmless. It can be backported to all stable versions.
2026-05-01 11:10:59 +02:00 · 2026-04-29 09:19:57 +02:00 · 2026-04-29 09:19:57 +02:00 · 465dca8e81
commit 465dca8e81
parent 5cd666b0e3
1 changed files with 4 additions and 0 deletions
--- a/src/payload.c
+++ b/src/payload.c
@ -1455,6 +1455,8 @@ smp_fetch_distcc_param(const struct arg *arg_p, struct sample *smp, const char *
 				return 1;
 			}
 		}
+		if (body > ci_data(chn) - ofs)
+			goto no_match;
 		ofs += body;
 	}

@ -1547,6 +1549,8 @@ smp_fetch_distcc_body(const struct arg *arg_p, struct sample *smp, const char *k
 				return 1;
 			}
 		}
+		if (body > ci_data(chn) - ofs)
+			goto no_match;
 		ofs += body;
 	}