commit 31d32634997bd59472b751d9fea87298edee75be
from: Omar Polo <op@omarpolo.com>
via: Thomas Adam <thomas@xteddy.org>
date: Thu Jun 23 14:09:34 2022 UTC

strictier validation for data received from libexec helpers

use correct error code and ok stsp@

commit - 12a8238ea919c7aa1d7dc6cf536d44025cf185d0
commit + 31d32634997bd59472b751d9fea87298edee75be
blob - e93c8a5a35c2b70a741ae9855620493f6e1ab327
blob + c1fb41744c3c30d9161cbdf76486db46fc6fddff
--- lib/privsep.c
+++ lib/privsep.c
@@ -354,7 +354,8 @@ got_privsep_recv_raw_obj(uint8_t **outbuf, off_t *size
 			break;
 		}
 
-		if (*size + *hdrlen > GOT_PRIVSEP_INLINE_OBJECT_DATA_MAX) {
+		if (*size < 0 ||
+		    *size + *hdrlen > GOT_PRIVSEP_INLINE_OBJECT_DATA_MAX) {
 			err = got_error(GOT_ERR_PRIVSEP_LEN);
 			break;
 		}
@@ -1099,6 +1100,11 @@ got_privsep_recv_index_progress(int *done, int *nobj_t
 			break;
 		}
 		iprogress = (struct got_imsg_index_pack_progress *)imsg.data;
+		if (iprogress->nobj_total < 0 || iprogress->nobj_indexed < 0 ||
+		    iprogress->nobj_loose < 0 || iprogress->nobj_resolved < 0) {
+			err = got_error(GOT_ERR_RANGE);
+			break;
+		}
 		*nobj_total = iprogress->nobj_total;
 		*nobj_indexed = iprogress->nobj_indexed;
 		*nobj_loose = iprogress->nobj_loose;
@@ -1131,6 +1137,9 @@ got_privsep_get_imsg_obj(struct got_object **obj, stru
 		return got_error(GOT_ERR_PRIVSEP_LEN);
 	iobj = imsg->data;
 
+	if (iobj->pack_offset < 0)
+		return got_error(GOT_ERR_PACK_OFFSET);
+
 	*obj = calloc(1, sizeof(**obj));
 	if (*obj == NULL)
 		return got_error_from_errno("calloc");
@@ -1737,7 +1746,8 @@ got_privsep_recv_blob(uint8_t **outbuf, size_t *size, 
 			break;
 		}
 
-		if (*size > GOT_PRIVSEP_INLINE_BLOB_DATA_MAX) {
+		if (*size > GOT_PRIVSEP_INLINE_BLOB_DATA_MAX ||
+		    *size > datalen + sizeof(*iblob)) {
 			err = got_error(GOT_ERR_PRIVSEP_LEN);
 			break;
 		}
@@ -2417,6 +2427,10 @@ got_privsep_recv_gotconfig_remotes(struct got_remote_r
 			break;
 		}
 		memcpy(&iremotes, imsg.data, sizeof(iremotes));
+		if (iremotes.nremotes < 0) {
+			err = got_error(GOT_ERR_PRIVSEP_LEN);
+			break;
+		}
 		if (iremotes.nremotes == 0) {
 			imsg_free(&imsg);
 			return NULL;
@@ -3144,7 +3158,8 @@ got_privsep_recv_object_idlist(int *done, struct got_o
 			break;
 		}
 		idlist = imsg.data;
-		if (idlist->nids > GOT_IMSG_OBJ_ID_LIST_MAX_NIDS) {
+		if (idlist->nids > GOT_IMSG_OBJ_ID_LIST_MAX_NIDS ||
+		    idlist->nids * sizeof(**ids) > datalen - sizeof(*idlist)) {
 			err = got_error(GOT_ERR_PRIVSEP_LEN);
 			break;
 		}
@@ -3249,7 +3264,9 @@ got_privsep_recv_reused_deltas(int *done, struct got_i
 			break;
 		}
 		ideltas = imsg.data;
-		if (ideltas->ndeltas > GOT_IMSG_OBJ_ID_LIST_MAX_NIDS) {
+		if (ideltas->ndeltas > GOT_IMSG_OBJ_ID_LIST_MAX_NIDS ||
+		    ideltas->ndeltas * sizeof(*deltas) >
+		    datalen - sizeof(*ideltas)) {
 			err = got_error(GOT_ERR_PRIVSEP_LEN);
 			break;
 		}