commit 37603cbd06eaaba2570979c140c6c94d51279148
from: deraadt <deraadt@openbsd.org>
date: Fri Aug  1 08:16:31 2025 UTC

For IMSG_BINDANY, bnd.bnd_proc wasn't range checked to ensure it is positive.
As a result IF the other side of the privsep was succesfully exploited, it
could then send such a flawed message and cause a cause an array bounds
violation over the privsep boundary.
Reported by S. Ai, H. Lefeuvre, Systopia team
ok claudio

commit - 9b58f4a4879445d21104976317b2d25c8743c98a
commit + 37603cbd06eaaba2570979c140c6c94d51279148
blob - 43fd777ef62527dd60b7bbdf951497d09c2ecd7e
blob + eaad7b6a3b8bf71839ae6c967ec244d3b8209c2c
--- relayd.c
+++ relayd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relayd.c,v 1.194 2025/04/24 20:32:33 claudio Exp $	*/
+/*	$OpenBSD: relayd.c,v 1.195 2025/08/01 08:16:31 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -485,7 +485,7 @@ parent_dispatch_relay(int fd, struct privsep_proc *p, 
 	case IMSG_BINDANY:
 		IMSG_SIZE_CHECK(imsg, &bnd);
 		bcopy(imsg->data, &bnd, sizeof(bnd));
-		if (bnd.bnd_proc > env->sc_conf.prefork_relay)
+		if (bnd.bnd_proc < 0 || bnd.bnd_proc > env->sc_conf.prefork_relay)
 			fatalx("%s: invalid relay proc", __func__);
 		switch (bnd.bnd_proto) {
 		case IPPROTO_TCP: