From 21feb47454eb593879b58e8c997e59a4c744e1e8 Mon Sep 17 00:00:00 2001
From: freyers <bourelly.christophe@gmail.com>
Date: Fri, 15 May 2026 22:19:18 +0000
Subject: [PATCH] fix(carbonio): validate machoNet oob length against payload
 size

A hostile peer controls m_oobDataLen via the packet's out-of-band
length prefix. It was only bounded by maxPacketSize, never by the
payload actually received, so m_payload could be advanced past m_data,
payloadLen() - m_oobDataLen could underflow, and adjacent heap memory
was disclosed to the oob callbacks. Reject packets whose oob block plus
its length prefix exceeds payloadLen().
---
 src/carbonio.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/carbonio.cpp b/src/carbonio.cpp
index b102b90..fdf6641 100644
--- a/src/carbonio.cpp
+++ b/src/carbonio.cpp
@@ -1932,6 +1932,12 @@ bool StreamPacketReceiveRequest::needMore() {
 				return false;
 			}
 
+			if ( static_cast<size_t>( m_oobDataLen ) + sizeof( m_oobDataLen ) > payloadLen() )
+			{
+				PyErr_Format(PyExc_OSError, "corrupted out-of-band data in packet: oob length %u exceeds payload size %zu", m_oobDataLen, payloadLen());
+				return false;
+			}
+
 			m_payload += sizeof(m_oobDataLen);
 			m_oobData = m_payload;
 			m_payload += m_oobDataLen;