commit c98b0f0b57cce101941efd993eac8b9e3be2a70a
from: Omar Polo <op@omarpolo.com>
date: Tue Jun 14 13:16:15 2022 UTC

strictier validation for data received from libexec helpers

use correct error code and ok stsp@

commit - 3e6054c427d642654d5abed63965eead037a7b2f
commit + c98b0f0b57cce101941efd993eac8b9e3be2a70a
blob - 21a5f45a6a3532a761fd10a3571500e8c14f8087
blob + 0524ef11c75a6736de2b1e1866663ad0304d4b44
--- lib/privsep.c
+++ lib/privsep.c
@@ -355,7 +355,8 @@ got_privsep_recv_raw_obj(uint8_t **outbuf, off_t *size
 			break;
 		}
 
-		if (*size + *hdrlen > GOT_PRIVSEP_INLINE_OBJECT_DATA_MAX) {
+		if (*size < 0 ||
+		    *size + *hdrlen > GOT_PRIVSEP_INLINE_OBJECT_DATA_MAX) {
 			err = got_error(GOT_ERR_PRIVSEP_LEN);
 			break;
 		}
@@ -1100,6 +1101,11 @@ got_privsep_recv_index_progress(int *done, int *nobj_t
 			break;
 		}
 		iprogress = (struct got_imsg_index_pack_progress *)imsg.data;
+		if (iprogress->nobj_total < 0 || iprogress->nobj_indexed < 0 ||
+		    iprogress->nobj_loose < 0 || iprogress->nobj_resolved < 0) {
+			err = got_error(GOT_ERR_RANGE);
+			break;
+		}
 		*nobj_total = iprogress->nobj_total;
 		*nobj_indexed = iprogress->nobj_indexed;
 		*nobj_loose = iprogress->nobj_loose;
@@ -1132,6 +1138,9 @@ got_privsep_get_imsg_obj(struct got_object **obj, stru
 		return got_error(GOT_ERR_PRIVSEP_LEN);
 	iobj = imsg->data;
 
+	if (iobj->pack_offset < 0)
+		return got_error(GOT_ERR_PACK_OFFSET);
+
 	*obj = calloc(1, sizeof(**obj));
 	if (*obj == NULL)
 		return got_error_from_errno("calloc");
@@ -1738,7 +1747,8 @@ got_privsep_recv_blob(uint8_t **outbuf, size_t *size, 
 			break;
 		}
 
-		if (*size > GOT_PRIVSEP_INLINE_BLOB_DATA_MAX) {
+		if (*size > GOT_PRIVSEP_INLINE_BLOB_DATA_MAX ||
+		    *size > datalen + sizeof(*iblob)) {
 			err = got_error(GOT_ERR_PRIVSEP_LEN);
 			break;
 		}
@@ -2418,6 +2428,10 @@ got_privsep_recv_gotconfig_remotes(struct got_remote_r
 			break;
 		}
 		memcpy(&iremotes, imsg.data, sizeof(iremotes));
+		if (iremotes.nremotes < 0) {
+			err = got_error(GOT_ERR_PRIVSEP_LEN);
+			break;
+		}
 		if (iremotes.nremotes == 0) {
 			imsg_free(&imsg);
 			return NULL;
@@ -3145,7 +3159,8 @@ got_privsep_recv_object_idlist(int *done, struct got_o
 			break;
 		}
 		idlist = imsg.data;
-		if (idlist->nids > GOT_IMSG_OBJ_ID_LIST_MAX_NIDS) {
+		if (idlist->nids > GOT_IMSG_OBJ_ID_LIST_MAX_NIDS ||
+		    idlist->nids * sizeof(**ids) > datalen - sizeof(*idlist)) {
 			err = got_error(GOT_ERR_PRIVSEP_LEN);
 			break;
 		}
@@ -3250,7 +3265,9 @@ got_privsep_recv_reused_deltas(int *done, struct got_i
 			break;
 		}
 		ideltas = imsg.data;
-		if (ideltas->ndeltas > GOT_IMSG_OBJ_ID_LIST_MAX_NIDS) {
+		if (ideltas->ndeltas > GOT_IMSG_OBJ_ID_LIST_MAX_NIDS ||
+		    ideltas->ndeltas * sizeof(*deltas) >
+		    datalen - sizeof(*ideltas)) {
 			err = got_error(GOT_ERR_PRIVSEP_LEN);
 			break;
 		}