* [PATCH] fetch-pack: check for valid commit from server
@ 2011-08-18 13:36 Nguyễn Thái Ngọc Duy
2011-08-18 21:32 ` Shawn Pearce
2011-08-19 15:11 ` Nguyễn Thái Ngọc Duy
0 siblings, 2 replies; 5+ messages in thread
From: Nguyễn Thái Ngọc Duy @ 2011-08-18 13:36 UTC (permalink / raw)
To: git; +Cc: Nguyễn Thái Ngọc Duy
A malicious server can return ACK with non-existent SHA-1 or not a
commit. lookup_commit() in this case may return NULL. Do not let
fetch-pack crash by accessing NULL address in this case.
Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
---
However it raises another question, what if the other end returns a
valid commit, but not the one in "have" line fetch-pack sent? Are we
OK with that?
builtin/fetch-pack.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/builtin/fetch-pack.c b/builtin/fetch-pack.c
index 4367984..3c871c2 100644
--- a/builtin/fetch-pack.c
+++ b/builtin/fetch-pack.c
@@ -395,6 +395,8 @@ static int find_common(int fd[2], unsigned char *result_sha1,
case ACK_continue: {
struct commit *commit =
lookup_commit(result_sha1);
+ if (!commit)
+ die("invalid commit %s", sha1_to_hex(result_sha1));
if (args.stateless_rpc
&& ack == ACK_common
&& !(commit->object.flags & COMMON)) {
--
1.7.4.74.g639db
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] fetch-pack: check for valid commit from server
2011-08-18 13:36 [PATCH] fetch-pack: check for valid commit from server Nguyễn Thái Ngọc Duy
@ 2011-08-18 21:32 ` Shawn Pearce
2011-08-19 4:19 ` Nguyen Thai Ngoc Duy
2011-08-19 15:11 ` Nguyễn Thái Ngọc Duy
1 sibling, 1 reply; 5+ messages in thread
From: Shawn Pearce @ 2011-08-18 21:32 UTC (permalink / raw)
To: Nguyễn Thái Ngọc Duy; +Cc: git
2011/8/18 Nguyễn Thái Ngọc Duy <pclouds@gmail.com>:
> A malicious server can return ACK with non-existent SHA-1 or not a
> commit. lookup_commit() in this case may return NULL. Do not let
> fetch-pack crash by accessing NULL address in this case.
>
> Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
> ---
> However it raises another question, what if the other end returns a
> valid commit, but not the one in "have" line fetch-pack sent? Are we
> OK with that?
Not really. The server is not supposed to return a SHA-1 in the ACK
line unless the client said it first in a have line. So aborting with
an error is reasonable thing for a client to do.
> + if (!commit)
> + die("invalid commit %s", sha1_to_hex(result_sha1));
Maybe:
die("server ACK contained unknown commit %s", sha1_to_hex(result_sha1));
is more specific to the problem.
Just curious, did you see this on a particular server somewhere?
--
Shawn.
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH] fetch-pack: check for valid commit from server
2011-08-18 13:36 [PATCH] fetch-pack: check for valid commit from server Nguyễn Thái Ngọc Duy
2011-08-18 21:32 ` Shawn Pearce
@ 2011-08-19 15:11 ` Nguyễn Thái Ngọc Duy
2011-08-19 20:18 ` Junio C Hamano
1 sibling, 1 reply; 5+ messages in thread
From: Nguyễn Thái Ngọc Duy @ 2011-08-19 15:11 UTC (permalink / raw)
To: git, Shawn Pearce, Junio C Hamano; +Cc: Nguyễn Thái Ngọc Duy
A malicious server can return ACK with non-existent SHA-1 or not a
commit. lookup_commit() in this case may return NULL. Do not let
fetch-pack crash by accessing NULL address in this case.
Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
---
2011/8/19 Shawn Pearce <spearce@spearce.org>:
> 2011/8/18 Nguyễn Thái Ngọc Duy <pclouds@gmail.com>:
>> However it raises another question, what if the other end returns a
>> valid commit, but not the one in "have" line fetch-pack sent? Are we
>> OK with that?
>
> Not really. The server is not supposed to return a SHA-1 in the ACK
> line unless the client said it first in a have line. So aborting with
> an error is reasonable thing for a client to do.
I assumed I could check result_sha1 against sha1. If it did not match,
fetch-pack would abort. But I was wrong because fetch-pack would send
a few have lines before receiving the first ack (which carries sha1
of some 'have' line in the middle, not the last 'have'). I'd leave it
here if anyone wants to tackle it.
builtin/fetch-pack.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/builtin/fetch-pack.c b/builtin/fetch-pack.c
index 4367984..561f1a3 100644
--- a/builtin/fetch-pack.c
+++ b/builtin/fetch-pack.c
@@ -395,6 +395,9 @@ static int find_common(int fd[2], unsigned char *result_sha1,
case ACK_continue: {
struct commit *commit =
lookup_commit(result_sha1);
+ if (!commit)
+ die("server ACK contained unknown commit %s",
+ sha1_to_hex(result_sha1));
if (args.stateless_rpc
&& ack == ACK_common
&& !(commit->object.flags & COMMON)) {
--
1.7.4.74.g639db
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-08-19 20:18 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-08-18 13:36 [PATCH] fetch-pack: check for valid commit from server Nguyễn Thái Ngọc Duy
2011-08-18 21:32 ` Shawn Pearce
2011-08-19 4:19 ` Nguyen Thai Ngoc Duy
2011-08-19 15:11 ` Nguyễn Thái Ngọc Duy
2011-08-19 20:18 ` Junio C Hamano
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).