diff options
author | Patrick Steinhardt <ps@pks.im> | 2018-08-06 10:49:54 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-08-06 10:49:54 +0200 |
commit | e98d0a37c93574d2c6107bf7f31140b548c6a7bf (patch) | |
tree | 70409052281b7cf0e246e1e313d82fd05bfa962f | |
parent | a3e53c166c742da5913f776944be2c7fa94db838 (diff) | |
parent | 81532654b947a673d6da6bce967307f1e3f2db30 (diff) | |
download | libgit2-e98d0a37c93574d2c6107bf7f31140b548c6a7bf.tar.gz |
Merge pull request #4757 from pks-t/pks/v0.26.6v0.26.6
Release v0.26.6
-rw-r--r-- | .travis.yml | 1 | ||||
-rw-r--r-- | CHANGELOG.md | 15 | ||||
-rw-r--r-- | include/git2/version.h | 4 | ||||
-rw-r--r-- | src/transports/smart_pkt.c | 10 |
4 files changed, 26 insertions, 4 deletions
diff --git a/.travis.yml b/.travis.yml index 4c7f8f1ad..83b6602aa 100644 --- a/.travis.yml +++ b/.travis.yml @@ -37,6 +37,7 @@ addons: - valgrind sudo: false +osx_image: xcode8.3 matrix: fast_finish: true diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ec40983b..e51f76271 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +v0.26.6 +------- + +This is a security release fixing out-of-bounds reads when +processing smart-protocol "ng" packets. + +When parsing an "ng" packet, we keep track of both the current position +as well as the remaining length of the packet itself. But instead of +taking care not to exceed the length, we pass the current pointer's +position to `strchr`, which will search for a certain character until +hitting NUL. It is thus possible to create a crafted packet which +doesn't contain a NUL byte to trigger an out-of-bounds read. + +The issue was discovered by the oss-fuzz project, issue 9406. + v0.26.5 ------- diff --git a/include/git2/version.h b/include/git2/version.h index c72e48f4b..f16bb9117 100644 --- a/include/git2/version.h +++ b/include/git2/version.h @@ -7,10 +7,10 @@ #ifndef INCLUDE_git_version_h__ #define INCLUDE_git_version_h__ -#define LIBGIT2_VERSION "0.26.5" +#define LIBGIT2_VERSION "0.26.6" #define LIBGIT2_VER_MAJOR 0 #define LIBGIT2_VER_MINOR 26 -#define LIBGIT2_VER_REVISION 5 +#define LIBGIT2_VER_REVISION 6 #define LIBGIT2_VER_PATCH 0 #define LIBGIT2_SOVERSION 26 diff --git a/src/transports/smart_pkt.c b/src/transports/smart_pkt.c index a661dfe13..d10d6c68f 100644 --- a/src/transports/smart_pkt.c +++ b/src/transports/smart_pkt.c @@ -299,8 +299,11 @@ static int ng_pkt(git_pkt **out, const char *line, size_t len) pkt->ref = NULL; pkt->type = GIT_PKT_NG; + if (len < 3) + goto out_err; line += 3; /* skip "ng " */ - if (!(ptr = strchr(line, ' '))) + len -= 3; + if (!(ptr = memchr(line, ' ', len))) goto out_err; len = ptr - line; @@ -311,8 +314,11 @@ static int ng_pkt(git_pkt **out, const char *line, size_t len) memcpy(pkt->ref, line, len); pkt->ref[len] = '\0'; + if (len < 1) + goto out_err; line = ptr + 1; - if (!(ptr = strchr(line, '\n'))) + len -= 1; + if (!(ptr = memchr(line, '\n', len))) goto out_err; len = ptr - line; |