ncp: validate salvage scan path request

src/namspace.c

@@ -2797,6 +2797,23 @@ int handle_func_0x57_salvage_scan(uint8 *q, int request_len,
   scan_sequence = GET_32(q + 7);
   nwpathstruct = (NW_HPATH *)(q + 11);
 
+  {
+    uint8 *pp = nwpathstruct->pathes;
+    uint8 *end = q + request_len;
+    int k;
+
+    for (k = 0; k < nwpathstruct->components; k++) {
+      int len;
+
+      if (pp >= end)
+        return(-0xfb);
+      len = (int)*pp++;
+      if (len > (int)(end - pp))
+        return(-0xfb);
+      pp += len;
+    }
+  }
+
   result = build_base(namespace, nwpathstruct, nwpathstruct->pathes,
                       0, NULL, 0);
   if (result < 0)