From 465dca8e81e9db695880beda1dd973a794074895 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 29 Apr 2026 09:19:57 +0200
Subject: [PATCH] BUG/MINOR: payload: prevent integer overflow in distcc token
 parsing

In both smp_fetch_distcc_param() and smp_fetch_distcc_body(), the code
does "ofs += body" without checking if body is larger than the remaining
data. If a malicious distcc packet contains a token with a very large
body length (param value up to 0xFFFFFFFF), ofs could overflow and wrap
around to a small value, causing the next iteration's bounds check
"ofs + 12 > ci_data(chn)" to pass incorrectly.

This could lead to out-of-bounds reads or an infinite loop.

Given that this is only used in trusted environments, this is mostly
harmless. It can be backported to all stable versions.
---
 src/payload.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/payload.c b/src/payload.c
index 0221929b9..457541189 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -1455,6 +1455,8 @@ smp_fetch_distcc_param(const struct arg *arg_p, struct sample *smp, const char *
 				return 1;
 			}
 		}
+		if (body > ci_data(chn) - ofs)
+			goto no_match;
 		ofs += body;
 	}
 
@@ -1547,6 +1549,8 @@ smp_fetch_distcc_body(const struct arg *arg_p, struct sample *smp, const char *k
 				return 1;
 			}
 		}
+		if (body > ci_data(chn) - ofs)
+			goto no_match;
 		ofs += body;
 	}