From: Francesco Chemolli <5175948+kinkie@users.noreply.github.com>
Date: Sat, 30 May 2026 10:16:33 +0000 (+0000)
Subject: Harden peerDigestSwapInMask against invalid cache digest reply (#2423)
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=556b91a8a758b6ef28fee25bc0dad834d4815b4a;p=thirdparty%2Fsquid.git

Harden peerDigestSwapInMask against invalid cache digest reply (#2423)

A cache_digest on-the-wire size may be bigger than the
mask_size declared in the digest itself.

Ignore the digest in case this happens.
---

diff --git a/src/peer_digest.cc b/src/peer_digest.cc
index 00fb8cb4f7..3546208e72 100644
--- a/src/peer_digest.cc
+++ b/src/peer_digest.cc
@@ -558,6 +558,11 @@ peerDigestSwapInMask(void *data, char *buf, ssize_t size)
      * NOTENOTENOTENOTENOTE: buf doesn't point to pd->cd->mask anymore!
      * we need to do the copy ourselves!
      */
+    Assure(size >= 0);
+    if (fetch->mask_offset + size > static_cast<ssize_t>(pd->cd->mask_size)) {
+        finishAndDeleteFetch(fetch, "peer digest mask data too large", true);
+        return -1;
+    }
     memcpy(pd->cd->mask + fetch->mask_offset, buf, size);
 
     /* NOTE! buf points to the middle of pd->cd->mask! */