[PATCH] fetch-pack: check for valid commit from server

[PATCH] fetch-pack: check for valid commit from server

[Nguyễn Thái Ngọc Duy]

A malicious server can return ACK with non-existent SHA-1 or not a
commit. lookup_commit() in this case may return NULL. Do not let
fetch-pack crash by accessing NULL address in this case.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
---
  However it raises another question, what if the other end returns a
  valid commit, but not the one in "have" line fetch-pack sent? Are we
  OK with that?

 builtin/fetch-pack.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/builtin/fetch-pack.c b/builtin/fetch-pack.c
index 4367984..3c871c2 100644
--- a/builtin/fetch-pack.c
+++ b/builtin/fetch-pack.c
@@ -395,6 +395,8 @@ static int find_common(int fd[2], unsigned char *result_sha1,
 				case ACK_continue: {
 					struct commit *commit =
 						lookup_commit(result_sha1);
+					if (!commit)
+						die("invalid commit %s", sha1_to_hex(result_sha1));
 					if (args.stateless_rpc
 					 && ack == ACK_common
 					 && !(commit->object.flags & COMMON)) {
-- 
1.7.4.74.g639db

Re: [PATCH] fetch-pack: check for valid commit from server

[Shawn Pearce]

2011/8/18 Nguyễn Thái Ngọc Duy <pclouds@gmail.com>:
> A malicious server can return ACK with non-existent SHA-1 or not a
> commit. lookup_commit() in this case may return NULL. Do not let
> fetch-pack crash by accessing NULL address in this case.
>
> Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
> ---
>  However it raises another question, what if the other end returns a
>  valid commit, but not the one in "have" line fetch-pack sent? Are we
>  OK with that?

Not really. The server is not supposed to return a SHA-1 in the ACK
line unless the client said it first in a have line. So aborting with
an error is reasonable thing for a client to do.

> +                                       if (!commit)
> +                                               die("invalid commit %s", sha1_to_hex(result_sha1));

Maybe:

  die("server ACK contained unknown commit %s", sha1_to_hex(result_sha1));

is more specific to the problem.


Just curious, did you see this on a particular server somewhere?

-- 
Shawn.

Re: [PATCH] fetch-pack: check for valid commit from server

[Nguyen Thai Ngoc Duy]

2011/8/19 Shawn Pearce <spearce@spearce.org>:
> Just curious, did you see this on a particular server somewhere?

No. I was looking for lookup_commit() call sites without proper NULL handling.
-- 
Duy

[PATCH] fetch-pack: check for valid commit from server

[Nguyễn Thái Ngọc Duy]

A malicious server can return ACK with non-existent SHA-1 or not a
commit. lookup_commit() in this case may return NULL. Do not let
fetch-pack crash by accessing NULL address in this case.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
---
 2011/8/19 Shawn Pearce <spearce@spearce.org>:
 > 2011/8/18 Nguyễn Thái Ngọc Duy <pclouds@gmail.com>:
 >>  However it raises another question, what if the other end returns a
 >>  valid commit, but not the one in "have" line fetch-pack sent? Are we
 >>  OK with that?
 >
 > Not really. The server is not supposed to return a SHA-1 in the ACK
 > line unless the client said it first in a have line. So aborting with
 > an error is reasonable thing for a client to do.

 I assumed I could check result_sha1 against sha1. If it did not match,
 fetch-pack would abort. But I was wrong because fetch-pack would send
 a few have lines before receiving the first ack (which carries sha1
 of some 'have' line in the middle, not the last 'have'). I'd leave it
 here if anyone wants to tackle it.

 builtin/fetch-pack.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/builtin/fetch-pack.c b/builtin/fetch-pack.c
index 4367984..561f1a3 100644
--- a/builtin/fetch-pack.c
+++ b/builtin/fetch-pack.c
@@ -395,6 +395,9 @@ static int find_common(int fd[2], unsigned char *result_sha1,
 				case ACK_continue: {
 					struct commit *commit =
 						lookup_commit(result_sha1);
+					if (!commit)
+						die("server ACK contained unknown commit %s",
+						    sha1_to_hex(result_sha1));
 					if (args.stateless_rpc
 					 && ack == ACK_common
 					 && !(commit->object.flags & COMMON)) {
-- 
1.7.4.74.g639db

Re: [PATCH] fetch-pack: check for valid commit from server

[Junio C Hamano]

Thanks, but already queued the one from yesterday in 'maint' ;-).