thodg/libgit2

Browse

Commit 437ee5a70711ac2e027877d71ee4ae17e5ec3d6c

Nelson Elhage 2018-06-24T19:47:08

Verify ref_pkt's are long enough If the remote sends a too-short packet, we'll allow `len` to go negative and eventually issue a malloc for <= 0 bytes on ``` pkt->head.name = git__malloc(alloclen); ``` 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

diff --git a/src/transports/smart_pkt.c b/src/transports/smart_pkt.c
index 4824330..43c7874 100644
--- a/src/transports/smart_pkt.c
+++ b/src/transports/smart_pkt.c
@@ -216,6 +216,11 @@ static int ref_pkt(git_pkt **out, const char *line, size_t len)
 	git_pkt_ref *pkt;
 	size_t alloclen;
 
+	if (len < GIT_OID_HEXSZ + 1) {
+		giterr_set(GITERR_NET, "error parsing pkt-line");
+		return -1;
+	}
+
 	pkt = git__malloc(sizeof(git_pkt_ref));
 	GITERR_CHECK_ALLOC(pkt);
kmx.io     mail     discord kmxgit v0.4.0