From 35972c6a3d9e3b09d5e53ebac818c231107bb0ee Mon Sep 17 00:00:00 2001
From: Addison Crump <addison.crump@cispa.de>
Date: Fri, 2 Feb 2024 11:43:11 +0100
Subject: [PATCH] fix some bounds checks

---
 src/daemon/main.c  | 22 ++++++++++++++--------
 src/daemon/slave.c | 16 ++++++++++------
 2 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/src/daemon/main.c b/src/daemon/main.c
index 47a94586..58a61412 100644
--- a/src/daemon/main.c
+++ b/src/daemon/main.c
@@ -61,25 +61,31 @@ handle_parent_connection (int s)
 			    "Parent (%d) received command %lu from client.",
 			    getpid (), cmnd->command);
 
-	if (cmnd->data_size >= BUFSIZ) {
-	    syslog_message (LOG_WARNING,
-			    "Client sent %lu bytes, but buffer is %lu",
-			    cmnd->data_size, (unsigned long)BUFSIZ);
-	    return;
-	}
-
 	memset (resp, 0, sizeof (glibtop_response));
 
 	memset (parameter, 0, sizeof (parameter));
 
 	if (cmnd->data_size) {
+	    if (cmnd->data_size >= BUFSIZ) {
+	        syslog_message (LOG_WARNING,
+				"Client sent %lu bytes, but buffer is %lu",
+				cmnd->data_size, (unsigned long)BUFSIZ);
+	        return;
+	    }
+
 	    if (enable_debug)
 		syslog_message (LOG_DEBUG, "Client has %lu bytes of data.",
 				cmnd->data_size);
 
 	    do_read (s, parameter, cmnd->data_size);
-
 	} else if (cmnd->size) {
+	    if (cmnd->size >= BUFSIZ) {
+	        syslog_message (LOG_WARNING,
+				"Client sent %lu bytes, but buffer is %lu",
+				cmnd->size, (unsigned long)BUFSIZ);
+	        return;
+	    }
+
 	    memcpy (parameter, cmnd->parameter, cmnd->size);
 	}
 
diff --git a/src/daemon/slave.c b/src/daemon/slave.c
index 80b2b5ab..25bd19e7 100644
--- a/src/daemon/slave.c
+++ b/src/daemon/slave.c
@@ -44,22 +44,26 @@ handle_slave_connection (int input, int output)
 		glibtop_debug ("Slave %d received command "
 			 "%lu from client.", getpid (), cmnd->command);
 
-		if (cmnd->data_size >= BUFSIZ)
-			glibtop_error ("Client sent %lu bytes, "
-				       "but buffer is %lu",
-				       cmnd->size, (unsigned long)BUFSIZ);
-
 		memset (resp, 0, sizeof (glibtop_response));
 
 		memset (parameter, 0, sizeof (parameter));
 
 		if (cmnd->data_size) {
+			if (cmnd->data_size >= BUFSIZ)
+				glibtop_error ("Client sent %lu bytes, "
+					       "but buffer is %lu",
+					       cmnd->data_size, (unsigned long)BUFSIZ);
+
 			glibtop_debug ("Client has %lu bytes of data.",
 				 cmnd->data_size);
 
 			do_read (input, parameter, cmnd->data_size);
-
 		} else if (cmnd->size) {
+			if (cmnd->size >= BUFSIZ)
+				glibtop_error ("Client sent %lu bytes, "
+					       "but buffer is %lu",
+					       cmnd->size, (unsigned long)BUFSIZ);
+
 			memcpy (parameter, cmnd->parameter, cmnd->size);
 		}