Commit 1a709604 by Patrick Steinhardt Committed by Carlos Martín Nieto

transports: smart: fix potential invalid memory dereferences

When we receive a packet of exactly four bytes encoding its
length as those four bytes it can be treated as an empty line.
While it is not really specified how those empty lines should be
treated, we currently ignore them and do not return an error when
trying to parse it but simply advance the data pointer.

Callers invoking `git_pkt_parse_line` are currently not prepared
to handle this case as they do not explicitly check this case.
While they could always reset the passed out-pointer to `NULL`
before calling `git_pkt_parse_line` and determine if the pointer
has been set afterwards, it makes more sense to update
`git_pkt_parse_line` to set the out-pointer to `NULL` itself when
it encounters such an empty packet. Like this it is guaranteed
that there will be no invalid memory references to free'd
pointers.

As such, the issue has been fixed such that `git_pkt_parse_line`
always sets the packet out pointer to `NULL` when an empty packet
has been received and callers check for this condition, skipping
such packets.
parent 11408f0e
...@@ -433,6 +433,7 @@ int git_pkt_parse_line( ...@@ -433,6 +433,7 @@ int git_pkt_parse_line(
* line? * line?
*/ */
if (len == PKT_LEN_SIZE) { if (len == PKT_LEN_SIZE) {
*head = NULL;
*out = line; *out = line;
return 0; return 0;
} }
......
...@@ -759,6 +759,14 @@ static int add_push_report_sideband_pkt(git_push *push, git_pkt_data *data_pkt, ...@@ -759,6 +759,14 @@ static int add_push_report_sideband_pkt(git_push *push, git_pkt_data *data_pkt,
line_len -= (line_end - line); line_len -= (line_end - line);
line = line_end; line = line_end;
/* When a valid packet with no content has been
* read, git_pkt_parse_line does not report an
* error, but the pkt pointer has not been set.
* Handle this by skipping over empty packets.
*/
if (pkt == NULL)
continue;
error = add_push_report_pkt(push, pkt); error = add_push_report_pkt(push, pkt);
git_pkt_free(pkt); git_pkt_free(pkt);
...@@ -813,6 +821,9 @@ static int parse_report(transport_smart *transport, git_push *push) ...@@ -813,6 +821,9 @@ static int parse_report(transport_smart *transport, git_push *push)
error = 0; error = 0;
if (pkt == NULL)
continue;
switch (pkt->type) { switch (pkt->type) {
case GIT_PKT_DATA: case GIT_PKT_DATA:
/* This is a sideband packet which contains other packets */ /* This is a sideband packet which contains other packets */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment