From 556b91a8a758b6ef28fee25bc0dad834d4815b4a Mon Sep 17 00:00:00 2001
From: Francesco Chemolli <5175948+kinkie@users.noreply.github.com>
Date: Sat, 30 May 2026 10:16:33 +0000
Subject: [PATCH] Harden peerDigestSwapInMask against invalid cache digest
 reply (#2423)

A cache_digest on-the-wire size may be bigger than the
mask_size declared in the digest itself.

Ignore the digest in case this happens.
---
 src/peer_digest.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/peer_digest.cc b/src/peer_digest.cc
index 00fb8cb4f7..3546208e72 100644
--- a/src/peer_digest.cc
+++ b/src/peer_digest.cc
@@ -558,6 +558,11 @@ peerDigestSwapInMask(void *data, char *buf, ssize_t size)
      * NOTENOTENOTENOTENOTE: buf doesn't point to pd->cd->mask anymore!
      * we need to do the copy ourselves!
      */
+    Assure(size >= 0);
+    if (fetch->mask_offset + size > static_cast<ssize_t>(pd->cd->mask_size)) {
+        finishAndDeleteFetch(fetch, "peer digest mask data too large", true);
+        return -1;
+    }
     memcpy(pd->cd->mask + fetch->mask_offset, buf, size);
 
     /* NOTE! buf points to the middle of pd->cd->mask! */
-- 
2.47.3