File libgit2-verify-packet-length.patch of Package libgit2.9827

Overview Repositories Revisions Requests Users Attributes Meta

File libgit2-verify-packet-length.patch of Package libgit2.9827

commit 4ac39c76c0153d1ee6889a0984c39e97731684b2
Author: Patrick Steinhardt <ps@pks.im>
Date:   Tue Nov 15 11:36:27 2016 +0100

smart_pkt: verify packet length exceeds PKT_LEN_SIZE
    
    Each packet line in the Git protocol is prefixed by a four-byte
    length of how much data will follow, which we parse in
    `git_pkt_parse_line`. The transmitted length can either be equal
    to zero in case of a flush packet or has to be at least of length
    four, as it also includes the encoded length itself. Not
    checking this may result in a buffer overflow as we directly pass
    the length to functions which accept a `size_t` length as
    parameter.
    
    Fix the issue by verifying that non-flush packets have at least a
    length of `PKT_LEN_SIZE`.

Index: libgit2-0.24.1/src/transports/smart_pkt.c
===================================================================
--- libgit2-0.24.1.orig/src/transports/smart_pkt.c
+++ libgit2-0.24.1/src/transports/smart_pkt.c
@@ -427,6 +427,14 @@ int git_pkt_parse_line(
 	if (bufflen > 0 && bufflen < (size_t)len)
 		return GIT_EBUFS;
 
+	/*
+	 * The length has to be exactly 0 in case of a flush
+	 * packet or greater than PKT_LEN_SIZE, as the decoded
+	 * length includes its own encoded length of four bytes.
+	 */
+	if (len != 0 && len < PKT_LEN_SIZE)
+		return GIT_ERROR;
+
 	line += PKT_LEN_SIZE;
 	/*
 	 * TODO: How do we deal with empty lines? Try again? with the next

Places

File libgit2-verify-packet-length.patch of Package libgit2.9827

Places