From 94b6e4a4c2d92ad27adb9d6e5d489cac55cb2aaa Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <daniel@mindani.net>
Date: Wed, 6 May 2026 21:46:34 +0200
Subject: [PATCH] CVE-2026-44064: libatalk/asp: bounds-check ASP session ID

Reported-by: @00redbeer
Signed-off-by: Daniel Markstedt <daniel@mindani.net>
---
 libatalk/asp/asp_getsess.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libatalk/asp/asp_getsess.c b/libatalk/asp/asp_getsess.c
index 300843910..36c1ccca2 100644
--- a/libatalk/asp/asp_getsess.c
+++ b/libatalk/asp/asp_getsess.c
@@ -177,7 +177,11 @@ ASP asp_getsession(ASP asp, server_child_t *server_children,
 
     switch (asp->cmdbuf[0]) {
     case ASPFUNC_TICKLE:
-        sid = asp->cmdbuf[1];
+        sid = (unsigned char)asp->cmdbuf[1];
+
+        if (sid >= children->servch_nsessions) {
+            break;
+        }
 
         if ((asp_ac[sid] != NULL) && (asp_ac[sid]->ac_state != ACSTATE_DEAD)) {
             asp_ac[sid]->ac_state = ACSTATE_OK;