BUG/MINOR: payload: prevent integer overflow in distcc token parsing

BUG/MINOR: payload: prevent integer overflow in distcc token parsing

In both smp_fetch_distcc_param() and smp_fetch_distcc_body(), the code
does "ofs += body" without checking if body is larger than the remaining
data. If a malicious distcc packet contains a token with a very large
body length (param value up to 0xFFFFFFFF), ofs could overflow and wrap
around to a small value, causing the next iteration's bounds check
"ofs + 12 > ci_data(chn)" to pass incorrectly.

This could lead to out-of-bounds reads or an infinite loop.

Given that this is only used in trusted environments, this is mostly
harmless. It can be backported to all stable versions.