From 3af1b4118e0e3231a53439f618421463bf6ea6bd Mon Sep 17 00:00:00 2001 From: Daniel Markstedt Date: Thu, 7 May 2026 23:42:16 +0200 Subject: [PATCH] CVE-2026-45356: afpd: guard against unsigned underflow in sl_unpack_loop count decrement Reported-by: @TristanInSec Signed-off-by: Daniel Markstedt --- etc/afpd/spotlight_marshalling.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/etc/afpd/spotlight_marshalling.c b/etc/afpd/spotlight_marshalling.c index 769982e6e..4a5a7ee00 100644 --- a/etc/afpd/spotlight_marshalling.c +++ b/etc/afpd/spotlight_marshalling.c @@ -796,6 +796,10 @@ static int sl_unpack_loop(DALLOC_CTX *query, dalloc_add_copy(query, &nil, sl_nil_t); } + if (subcount > count) { + EC_FAIL; + } + offset += query_length; count -= subcount; break; @@ -809,24 +813,44 @@ static int sl_unpack_loop(DALLOC_CTX *query, case SQ_TYPE_INT64: EC_NEG1_LOG(subcount = sl_unpack_ints(query, buf, offset, encoding)); + + if (subcount > count) { + EC_FAIL; + } + offset += query_length; count -= subcount; break; case SQ_TYPE_UUID: EC_NEG1_LOG(subcount = sl_unpack_uuid(query, buf, offset, encoding)); + + if (subcount > count) { + EC_FAIL; + } + offset += query_length; count -= subcount; break; case SQ_TYPE_FLOAT: EC_NEG1_LOG(subcount = sl_unpack_floats(query, buf, offset, encoding)); + + if (subcount > count) { + EC_FAIL; + } + offset += query_length; count -= subcount; break; case SQ_TYPE_DATE: EC_NEG1_LOG(subcount = sl_unpack_date(query, buf, offset, encoding)); + + if (subcount > count) { + EC_FAIL; + } + offset += query_length; count -= subcount; break;