BUG/MINOR: payload: prevent integer overflow in distcc token parsing

In both smp_fetch_distcc_param() and smp_fetch_distcc_body(), the code
does "ofs += body" without checking if body is larger than the remaining
data. If a malicious distcc packet contains a token with a very large
body length (param value up to 0xFFFFFFFF), ofs could overflow and wrap
around to a small value, causing the next iteration's bounds check
"ofs + 12 > ci_data(chn)" to pass incorrectly.

This could lead to out-of-bounds reads or an infinite loop.

Given that this is only used in trusted environments, this is mostly
harmless. It can be backported to all stable versions.

diff --git a/src/payload.c b/src/payload.c
index 0221929b943cdcf9e755ef5d34b6795b795d7b85..45754118946d2a64bee712ed036672b5d10f0062 100644 (file)
--- a/src/payload.c
+++ b/src/payload.c
@@ -1455,6 +1455,8 @@ smp_fetch_distcc_param(const struct arg *arg_p, struct sample *smp, const char *
                                return 1;
                        }
                }
+               if (body > ci_data(chn) - ofs)
+                       goto no_match;
                ofs += body;
        }
 
@@ -1547,6 +1549,8 @@ smp_fetch_distcc_body(const struct arg *arg_p, struct sample *smp, const char *k
                                return 1;
                        }
                }
+               if (body > ci_data(chn) - ofs)
+                       goto no_match;
                ofs += body;
        }