From: Willy Tarreau <w@1wt.eu>
Date: Wed, 29 Apr 2026 07:19:57 +0000 (+0200)
Subject: BUG/MINOR: payload: prevent integer overflow in distcc token parsing
X-Git-Tag: v3.4-dev10~6
X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=465dca8e81e9db695880beda1dd973a794074895;p=haproxy.git

BUG/MINOR: payload: prevent integer overflow in distcc token parsing

In both smp_fetch_distcc_param() and smp_fetch_distcc_body(), the code
does "ofs += body" without checking if body is larger than the remaining
data. If a malicious distcc packet contains a token with a very large
body length (param value up to 0xFFFFFFFF), ofs could overflow and wrap
around to a small value, causing the next iteration's bounds check
"ofs + 12 > ci_data(chn)" to pass incorrectly.

This could lead to out-of-bounds reads or an infinite loop.

Given that this is only used in trusted environments, this is mostly
harmless. It can be backported to all stable versions.
---

diff --git a/src/payload.c b/src/payload.c
index 0221929b9..457541189 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -1455,6 +1455,8 @@ smp_fetch_distcc_param(const struct arg *arg_p, struct sample *smp, const char *
 				return 1;
 			}
 		}
+		if (body > ci_data(chn) - ofs)
+			goto no_match;
 		ofs += body;
 	}
 
@@ -1547,6 +1549,8 @@ smp_fetch_distcc_body(const struct arg *arg_p, struct sample *smp, const char *k
 				return 1;
 			}
 		}
+		if (body > ci_data(chn) - ofs)
+			goto no_match;
 		ofs += body;
 	}