Commit 8c925ef8389564db7e382147a12bc17d637fb2a9
2019-05-21T14:30:28
smart protocol: validate progress message length Ensure that the server has not sent us overly-large sideband messages (ensure that they are no more than `INT_MAX` bytes), then cast to `int`.
diff --git a/src/transports/smart_protocol.c b/src/transports/smart_protocol.c
index c251eb8..cfbe7e4 100644
--- a/src/transports/smart_protocol.c
+++ b/src/transports/smart_protocol.c
@@ -604,7 +604,14 @@ int git_smart__download_pack(
} else if (pkt->type == GIT_PKT_PROGRESS) {
if (t->progress_cb) {
git_pkt_progress *p = (git_pkt_progress *) pkt;
- error = t->progress_cb(p->data, p->len, t->message_cb_payload);
+
+ if (p->len > INT_MAX) {
+ git_error_set(GIT_ERROR_NET, "oversized progress message");
+ error = GIT_ERROR;
+ goto done;
+ }
+
+ error = t->progress_cb(p->data, (int)p->len, t->message_cb_payload);
}
} else if (pkt->type == GIT_PKT_DATA) {
git_pkt_data *p = (git_pkt_data *) pkt;
@@ -839,7 +846,14 @@ static int parse_report(transport_smart *transport, git_push *push)
case GIT_PKT_PROGRESS:
if (transport->progress_cb) {
git_pkt_progress *p = (git_pkt_progress *) pkt;
- error = transport->progress_cb(p->data, p->len, transport->message_cb_payload);
+
+ if (p->len > INT_MAX) {
+ git_error_set(GIT_ERROR_NET, "oversized progress message");
+ error = GIT_ERROR;
+ goto done;
+ }
+
+ error = transport->progress_cb(p->data, (int)p->len, transport->message_cb_payload);
}
break;
default: