diff options
author | Patrick Steinhardt <ps@pks.im> | 2019-12-13 12:13:05 +0100 |
---|---|---|
committer | Patrick Steinhardt <ps@pks.im> | 2020-03-26 22:12:59 +0100 |
commit | c2b617f3d38b3793c4252f254739bc47a42c80fd (patch) | |
tree | a3e606b675be070eb8aa771223e6d6424de197dc | |
parent | 3e2fcfee161ab369dae11fd07e884ba2a5cbeccc (diff) | |
download | libgit2-c2b617f3d38b3793c4252f254739bc47a42c80fd.tar.gz |
smart_pkt: fix overflow resulting in OOB read/write of one byte
When parsing OK packets, we copy any information after the initial "ok "
prefix into the resulting packet. As newlines act as packet boundaries,
we also strip the trailing newline if there is any. We do not check
whether there is any data left after the initial "ok " prefix though,
which leads to a pointer overflow in that case as `len == 0`:
if (line[len - 1] == '\n')
--len;
This out-of-bounds read is a rather useless gadget, as we can only
deduce whether at some offset there is a newline character. In case
there accidentally is one, we overflow `len` to `SIZE_MAX` and then
write a NUL byte into an array indexed by it:
pkt->ref[len] = '\0';
Again, this doesn't seem like something that's possible to be exploited
in any meaningful way, but it may surely lead to inconsistencies or DoS.
Fix the issue by checking whether there is any trailing data after the
packet prefix.
-rw-r--r-- | src/transports/smart_pkt.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/transports/smart_pkt.c b/src/transports/smart_pkt.c index 9bc273e0c..56b680d28 100644 --- a/src/transports/smart_pkt.c +++ b/src/transports/smart_pkt.c @@ -273,7 +273,7 @@ static int ok_pkt(git_pkt **out, const char *line, size_t len) line += 3; len -= 3; - if (line[len - 1] == '\n') + if (len && line[len - 1] == '\n') --len; GIT_ERROR_CHECK_ALLOC_ADD(&alloc_len, len, 1); |