From 9759126552c5b833e8ba0aa1989f27c7a0e3d3d4 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <daniel@mindani.net>
Date: Mon, 4 May 2026 21:06:16 +0200
Subject: [PATCH] CVE-2026-44050: cnid_dbd: validate CNID request name length

Reported-by: @00redbeer
Signed-off-by: Daniel Markstedt <daniel@mindani.net>
---
 etc/cnid_dbd/comm.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/etc/cnid_dbd/comm.c b/etc/cnid_dbd/comm.c
index dd47e1b17..e174a9cc7 100644
--- a/etc/cnid_dbd/comm.c
+++ b/etc/cnid_dbd/comm.c
@@ -247,6 +247,13 @@ int comm_rcv(struct cnid_dbd_rqst *rqst, time_t timeout,
 
     rqst->name = nametmp;
 
+    if (rqst->namelen > MAXPATHLEN) {
+        LOG(log_error, logtype_cnid, "comm_rcv: name too long: %zu",
+            rqst->namelen);
+        invalidate_fd(cur_fd);
+        return 0;
+    }
+
     if (rqst->namelen
             && readt(cur_fd, (char *)rqst->name, rqst->namelen, 1, CNID_DBD_TIMEOUT)
             != rqst->namelen) {