Commit 5f557780 by Nelson Elhage Committed by Patrick Steinhardt

Verify ref_pkt's are long enough

If the remote sends a too-short packet, we'll allow `len` to go
negative and eventually issue a malloc for <= 0 bytes on

```
pkt->head.name = git__malloc(alloclen);
```

(cherry picked from commit 437ee5a7)
parent 9561ec83
...@@ -203,6 +203,11 @@ static int ref_pkt(git_pkt **out, const char *line, size_t len) ...@@ -203,6 +203,11 @@ static int ref_pkt(git_pkt **out, const char *line, size_t len)
git_pkt_ref *pkt; git_pkt_ref *pkt;
size_t alloclen; size_t alloclen;
if (len < GIT_OID_HEXSZ + 1) {
giterr_set(GITERR_NET, "error parsing pkt-line");
return -1;
}
pkt = git__malloc(sizeof(git_pkt_ref)); pkt = git__malloc(sizeof(git_pkt_ref));
GITERR_CHECK_ALLOC(pkt); GITERR_CHECK_ALLOC(pkt);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment