diff options
| author | Patrick Steinhardt <ps@pks.im> | 2018-08-06 10:49:49 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-06 10:49:49 +0200 |
| commit | 8b89f362a34fcccdf1c6c5f3445895b71d9c6d56 (patch) | |
| tree | 1f171290fab979afdc9b7b3dc277c87c19fe6d43 | |
| parent | 504bd54a2b57e8d606c63c00e5e15ea68a30bc5b (diff) | |
| parent | c5dd0ea101c36abc43775cfaf66dbe16f9da7d61 (diff) | |
| download | libgit2-8b89f362a34fcccdf1c6c5f3445895b71d9c6d56.tar.gz | |
Merge pull request #4756 from pks-t/pks/v0.27.4v0.27.4
Release v0.27.4
| -rw-r--r-- | .travis.yml | 1 | ||||
| -rw-r--r-- | CHANGELOG.md | 15 | ||||
| -rw-r--r-- | include/git2/version.h | 4 | ||||
| -rw-r--r-- | src/transports/smart_pkt.c | 10 |
4 files changed, 26 insertions, 4 deletions
diff --git a/.travis.yml b/.travis.yml index a4c8e91df..3a55e86b0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -21,6 +21,7 @@ env: - OPTIONS="-DTHREADSAFE=OFF -DBUILD_EXAMPLES=ON -DENABLE_WERROR=ON" dist: trusty +osx_image: xcode8.3 sudo: false addons: diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b149ee4c..be62aa63d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +v0.27.4 +------- + +This is a security release fixing out-of-bounds reads when +processing smart-protocol "ng" packets. + +When parsing an "ng" packet, we keep track of both the current position +as well as the remaining length of the packet itself. But instead of +taking care not to exceed the length, we pass the current pointer's +position to `strchr`, which will search for a certain character until +hitting NUL. It is thus possible to create a crafted packet which +doesn't contain a NUL byte to trigger an out-of-bounds read. + +The issue was discovered by the oss-fuzz project, issue 9406. + v0.27.3 ------- diff --git a/include/git2/version.h b/include/git2/version.h index 8c2594f50..7c4242657 100644 --- a/include/git2/version.h +++ b/include/git2/version.h @@ -7,10 +7,10 @@ #ifndef INCLUDE_git_version_h__ #define INCLUDE_git_version_h__ -#define LIBGIT2_VERSION "0.27.3" +#define LIBGIT2_VERSION "0.27.4" #define LIBGIT2_VER_MAJOR 0 #define LIBGIT2_VER_MINOR 27 -#define LIBGIT2_VER_REVISION 3 +#define LIBGIT2_VER_REVISION 4 #define LIBGIT2_VER_PATCH 0 #define LIBGIT2_SOVERSION 27 diff --git a/src/transports/smart_pkt.c b/src/transports/smart_pkt.c index a661dfe13..d10d6c68f 100644 --- a/src/transports/smart_pkt.c +++ b/src/transports/smart_pkt.c @@ -299,8 +299,11 @@ static int ng_pkt(git_pkt **out, const char *line, size_t len) pkt->ref = NULL; pkt->type = GIT_PKT_NG; + if (len < 3) + goto out_err; line += 3; /* skip "ng " */ - if (!(ptr = strchr(line, ' '))) + len -= 3; + if (!(ptr = memchr(line, ' ', len))) goto out_err; len = ptr - line; @@ -311,8 +314,11 @@ static int ng_pkt(git_pkt **out, const char *line, size_t len) memcpy(pkt->ref, line, len); pkt->ref[len] = '\0'; + if (len < 1) + goto out_err; line = ptr + 1; - if (!(ptr = strchr(line, '\n'))) + len -= 1; + if (!(ptr = memchr(line, '\n', len))) goto out_err; len = ptr - line; |