kmx git

Show log
Commit
Hash : 86852613
Author :
Date : 2019-12-13T12:13:05

smart_pkt: fix overflow resulting in OOB read/write of one byte When parsing OK packets, we copy any information after the initial "ok " prefix into the resulting packet. As newlines act as packet boundaries, we also strip the trailing newline if there is any. We do not check whether there is any data left after the initial "ok " prefix though, which leads to a pointer overflow in that case as `len == 0`: if (line[len - 1] == '\n') --len; This out-of-bounds read is a rather useless gadget, as we can only deduce whether at some offset there is a newline character. In case there accidentally is one, we overflow `len` to `SIZE_MAX` and then write a NUL byte into an array indexed by it: pkt->ref[len] = '\0'; Again, this doesn't seem like something that's possible to be exploited in any meaningful way, but it may surely lead to inconsistencies or DoS. Fix the issue by checking whether there is any trailing data after the packet prefix.

Git HTTP	https://git.kmx.io/thodg/libgit2.git
Git SSH	git@git.kmx.io:thodg/libgit2.git
Public access ?	public
Description	https://libgit2.org/
Users
Tags	v1.5.0 v1.4.4 v1.4.3 v1.4.2 v1.4.1 v1.4.0 v1.3.2 v1.3.1 v1.3.0 v1.2.0 v1.1.1 v1.1.0 v1.0.1 v1.0.0 v0.99.0 v0.8.0 v0.3.0 v0.28.5 v0.28.4 v0.28.3 v0.28.2 v0.28.1 v0.28.0-rc1 v0.28.0 v0.27.9 v0.27.8 v0.27.7 v0.27.6 v0.27.5 v0.27.4 v0.27.3 v0.27.2 v0.27.10 v0.27.1 v0.27.0-rc3 v0.27.0-rc2 v0.27.0-rc1 v0.27.0 v0.26.8 v0.26.7 v0.26.6 v0.26.5 v0.26.4 v0.26.3 v0.26.2 v0.26.1 v0.26.0-rc2 v0.26.0-rc1 v0.26.0 v0.25.1 v0.25.0-rc2 v0.25.0-rc1 v0.25.0 v0.24.6 v0.24.5 v0.24.4 v0.24.3 v0.24.2 v0.24.1 v0.24.0-rc1 v0.24.0 v0.23.4 v0.23.3 v0.23.2 v0.23.1 v0.23.0-rc2 v0.23.0-rc1 v0.23.0 v0.22.3 v0.22.2 v0.22.1 v0.22.0-rc2 v0.22.0-rc1 v0.22.0 v0.21.5 v0.21.4 v0.21.3 v0.21.2 v0.21.1 v0.21.0-rc2 v0.21.0-rc1 v0.21.0 v0.20.0 v0.2.0 v0.19.0 v0.18.0 v0.17.0 v0.16.0 v0.15.0 v0.14.0 v0.13.0 v0.12.0 v0.11.0 v0.10.0 v0.1.0

thodg/libgit2/src/transports