1. 07 Nov, 2018 2 commits
    • smart transport: only clear url on hard reset · 9ad96367
      After creating a transport for a server, we expect to be able to call
      `connect`, then invoke subsequent `action` calls.  We provide the URL to
      these `action` calls, although our built-in transports happen to ignore
      it since they've already parsed it into an internal format that they
      intend to use (`gitno_connection_data`).
      
      In ca2eb460, we began clearing the URL
      field after a connection, meaning that subsequent calls to transport
      `action` callbacks would get a NULL URL, which went undetected since the
      builtin transports ignore the URL when they're already connected
      (instead of re-parsing it into an internal format).
      
      Downstream custom transport implementations (eg, LibGit2Sharp) did
      notice this change, however.
      
      Since `reset_stream` is called even when we're not closing the
      subtransport, update to only clear the URL when we're closing the
      subtransport.  This ensures that `action` calls will get the correct URL
      information even after a connection.
      Edward Thomson committed
  2. 02 Nov, 2018 5 commits
    • tree: fix integer overflow when reading unreasonably large filemodes · 7fafec0e
      The `parse_mode` option uses an open-coded octal number parser. The
      parser is quite naive in that it simply parses until hitting a character
      that is not in the accepted range of '0' - '7', completely ignoring the
      fact that we can at most accept a 16 bit unsigned integer as filemode.
      If the filemode is bigger than UINT16_MAX, it will thus overflow and
      provide an invalid filemode for the object entry.
      
      Fix the issue by using `git__strntol32` instead and doing a bounds
      check. As this function already handles overflows, it neatly solves the
      problem.
      
      Note that previously, `parse_mode` was also skipping the character
      immediately after the filemode. In proper trees, this should be a simple
      space, but in fact the parser accepted any character and simply skipped
      over it. As a consequence of using `git__strntol32`, we now need to an
      explicit check for a trailing whitespace after having parsed the
      filemode. Because of the newly introduced error message, the test
      object::tree::parse::mode_doesnt_cause_oob_read needs adjustment to its
      error message check, which in fact is a good thing as it demonstrates
      that we now fail looking for the whitespace immediately following the
      filemode.
      
      Add a test that shows that we will fail to parse such invalid filemodes
      now.
      Patrick Steinhardt committed
    • tree: fix mode parsing reading out-of-bounds · f647bbc8
      When parsing a tree entry's mode, we will eagerly parse until we hit a
      character that is not in the accepted set of octal digits '0' - '7'. If
      the provided buffer is not a NUL terminated one, we may thus read
      out-of-bounds.
      
      Fix the issue by passing the buffer length to `parse_mode` and paying
      attention to it. Note that this is not a vulnerability in our usual code
      paths, as all object data read from the ODB is NUL terminated.
      Patrick Steinhardt committed
    • tree: add various tests exercising the tree parser · d4ad658a
      We currently don't have any tests that directly exercise the tree
      parser. This is due to the fact that the parsers for raw object data has
      only been recently introduce with commit ca4db5f4 (object: implement
      function to parse raw data, 2017-10-13), and previous to that the setup
      simply was too cumbersome as it always required going through the ODB.
      
      Now that we have the infrastructure, add a suite of tests that directly
      exercise the tree parser and various edge cases.
      Patrick Steinhardt committed
    • strntol: fix detection and skipping of base prefixes · 50d09407
      The `git__strntol` family of functions has the ability to auto-detect
      a number's base if the string has either the common '0x' prefix for
      hexadecimal numbers or '0' prefix for octal numbers. The detection of
      such prefixes and following handling has two major issues though that are
      being fixed in one go now.
      
      - We do not do any bounds checking previous to verifying the '0x' base.
        While we do verify that there is at least one digit available
        previously, we fail to verify that there are two digits available and
        thus may do an out-of-bounds read when parsing this
        two-character-prefix.
      
      - When skipping the prefix of such numbers, we only update the pointer
        length without also updating the number of remaining bytes. Thus if we
        try to parse a number '0x1' of total length 3, we will first skip the
        first two bytes and then try to read 3 bytes starting at '1'.
      
      Fix both issues by disentangling the logic. Instead of doing the
      detection and skipping of such prefixes in one go, we will now first try
      to detect the base while also honoring how many bytes are left. Only if
      we have a valid base that is either 8 or 16 and have one of the known
      prefixes, we will now advance the pointer and update the remaining bytes
      in one step.
      
      Add some tests that verify that no out-of-bounds parsing happens and
      that autodetection works as advertised.
      Patrick Steinhardt committed
    • strntol: fix out-of-bounds read when skipping leading spaces · 41863a00
      The `git__strntol` family of functions accepts leading spaces and will
      simply skip them. The skipping will not honor the provided buffer's
      length, though, which may lead it to read outside of the provided
      buffer's bounds if it is not a simple NUL-terminated string.
      Furthermore, if leading space is trimmed, the function will further
      advance the pointer but not update the number of remaining bytes, which
      may also lead to out-of-bounds reads.
      
      Fix the issue by properly paying attention to the buffer length and
      updating it when stripping leading whitespace characters. Add a test
      that verifies that we won't read past the provided buffer length.
      Patrick Steinhardt committed
  3. 31 Oct, 2018 1 commit
  4. 30 Oct, 2018 2 commits
  5. 26 Oct, 2018 6 commits
  6. 25 Oct, 2018 11 commits
  7. 23 Oct, 2018 1 commit
  8. 21 Oct, 2018 12 commits