smart protocol: validate progress message length

Ensure that the server has not sent us overly-large sideband messages (ensure that they are no more than `INT_MAX` bytes), then cast to `int`.

smart protocol: validate progress message length
Ensure that the server has not sent us overly-large sideband messages (ensure that they are no more than `INT_MAX` bytes), then cast to `int`.
8c925ef8 · Edward Thomson · 7afe788c · 8c925ef8
Commit 8c925ef8 authored May 21, 2019 by Edward Thomson
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 2 deletions

src/transports/smart_protocol.c
+16 -2

No files found.
--- a/src/transports/smart_protocol.c
+++ b/src/transports/smart_protocol.c
@@ -604,7 +604,14 @@ int git_smart__download_pack(
 			} else if (pkt->type == GIT_PKT_PROGRESS) {
 				if (t->progress_cb) {
 					git_pkt_progress *p = (git_pkt_progress *) pkt;
-					error = t->progress_cb(p->data, p->len, t->message_cb_payload);
+
+					if (p->len > INT_MAX) {
+						git_error_set(GIT_ERROR_NET, "oversized progress message");
+						error = GIT_ERROR;
+						goto done;
+					}
+
+					error = t->progress_cb(p->data, (int)p->len, t->message_cb_payload);
 				}
 			} else if (pkt->type == GIT_PKT_DATA) {
 				git_pkt_data *p = (git_pkt_data *) pkt;
@@ -839,7 +846,14 @@ static int parse_report(transport_smart *transport, git_push *push)
 			case GIT_PKT_PROGRESS:
 				if (transport->progress_cb) {
 					git_pkt_progress *p = (git_pkt_progress *) pkt;
-					error = transport->progress_cb(p->data, p->len, transport->message_cb_payload);
+
+					if (p->len > INT_MAX) {
+						git_error_set(GIT_ERROR_NET, "oversized progress message");
+						error = GIT_ERROR;
+						goto done;
+					}
+
+					error = transport->progress_cb(p->data, (int)p->len, transport->message_cb_payload);
 				}
 				break;
 			default: