Harden peerDigestSwapInMask against invalid cache digest reply (#2423)

A cache_digest on-the-wire size may be bigger than the
mask_size declared in the digest itself.

Ignore the digest in case this happens.

diff --git a/src/peer_digest.cc b/src/peer_digest.cc
index 00fb8cb4f739b1c8a3fc051a2d9f6f60fd03dae2..3546208e72ecd2b881986a1953d97a573d73197c 100644 (file)
--- a/src/peer_digest.cc
+++ b/src/peer_digest.cc
@@ -558,6 +558,11 @@ peerDigestSwapInMask(void *data, char *buf, ssize_t size)
      * NOTENOTENOTENOTENOTE: buf doesn't point to pd->cd->mask anymore!
      * we need to do the copy ourselves!
      */
+    Assure(size >= 0);
+    if (fetch->mask_offset + size > static_cast<ssize_t>(pd->cd->mask_size)) {
+        finishAndDeleteFetch(fetch, "peer digest mask data too large", true);
+        return -1;
+    }
     memcpy(pd->cd->mask + fetch->mask_offset, buf, size);
 
     /* NOTE! buf points to the middle of pd->cd->mask! */