diff options
author | Patrick Steinhardt <ps@pks.im> | 2018-08-09 11:04:42 +0200 |
---|---|---|
committer | Patrick Steinhardt <ps@pks.im> | 2018-10-03 16:09:38 +0200 |
commit | 5fabaca801e1f5e7a1054be612e8fabec7cd6a7f (patch) | |
tree | b68e8d0d99a8d27b5faff98eaf1eb9e860d86220 | |
parent | b5ba7af2d30c958b090dcf135749d9afe89ec703 (diff) | |
download | libgit2-5fabaca801e1f5e7a1054be612e8fabec7cd6a7f.tar.gz |
smart_pkt: fix buffer overflow when parsing "unpack" packets
When checking whether an "unpack" packet returned the "ok" status or
not, we use a call to `git__prefixcmp`. In case where the passed line
isn't properly NUL terminated, though, this may overrun the line buffer.
Fix this by using `git__prefixncmp` instead.
-rw-r--r-- | src/transports/smart_pkt.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/src/transports/smart_pkt.c b/src/transports/smart_pkt.c index 3b145f834..a19b226f5 100644 --- a/src/transports/smart_pkt.c +++ b/src/transports/smart_pkt.c @@ -350,13 +350,11 @@ static int unpack_pkt(git_pkt **out, const char *line, size_t len) { git_pkt_unpack *pkt; - GIT_UNUSED(len); - pkt = git__malloc(sizeof(*pkt)); GITERR_CHECK_ALLOC(pkt); - pkt->type = GIT_PKT_UNPACK; - if (!git__prefixcmp(line, "unpack ok")) + + if (!git__prefixncmp(line, len, "unpack ok")) pkt->unpack_ok = 1; else pkt->unpack_ok = 0; |