diff options
author | Patrick Steinhardt <ps@pks.im> | 2016-11-15 11:36:27 +0100 |
---|---|---|
committer | Edward Thomson <ethomson@github.com> | 2017-01-06 17:11:44 +0000 |
commit | 66e3774d279672ee51c3b54545a79d20d1ada834 (patch) | |
tree | e6334344180683b99c2cfd5c115b03bd1af40dbb | |
parent | 75db289a041b1f1084768244e167b953ac7eeaa5 (diff) | |
download | libgit2-66e3774d279672ee51c3b54545a79d20d1ada834.tar.gz |
smart_pkt: verify packet length exceeds PKT_LEN_SIZE
Each packet line in the Git protocol is prefixed by a four-byte
length of how much data will follow, which we parse in
`git_pkt_parse_line`. The transmitted length can either be equal
to zero in case of a flush packet or has to be at least of length
four, as it also includes the encoded length itself. Not
checking this may result in a buffer overflow as we directly pass
the length to functions which accept a `size_t` length as
parameter.
Fix the issue by verifying that non-flush packets have at least a
length of `PKT_LEN_SIZE`.
-rw-r--r-- | src/transports/smart_pkt.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/transports/smart_pkt.c b/src/transports/smart_pkt.c index 2297cc94f..6fe53b931 100644 --- a/src/transports/smart_pkt.c +++ b/src/transports/smart_pkt.c @@ -427,6 +427,14 @@ int git_pkt_parse_line( if (bufflen > 0 && bufflen < (size_t)len) return GIT_EBUFS; + /* + * The length has to be exactly 0 in case of a flush + * packet or greater than PKT_LEN_SIZE, as the decoded + * length includes its own encoded length of four bytes. + */ + if (len != 0 && len < PKT_LEN_SIZE) + return GIT_ERROR; + line += PKT_LEN_SIZE; /* * TODO: How do we deal with empty lines? Try again? with the next |