A malicious server can return ACK with non-existent SHA-1 or not a
commit. lookup_commit() in this case may return NULL. Do not let
fetch-pack crash by accessing NULL address in this case.
Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@xxxxxxxxx>
---
2011/8/19 Shawn Pearce <spearce@xxxxxxxxxxx>:
> 2011/8/18 Nguyễn Thái Ngọc Duy <pclouds@xxxxxxxxx>:
>> However it raises another question, what if the other end returns a
>> valid commit, but not the one in "have" line fetch-pack sent? Are we
>> OK with that?
>
> Not really. The server is not supposed to return a SHA-1 in the ACK
> line unless the client said it first in a have line. So aborting with
> an error is reasonable thing for a client to do.
I assumed I could check result_sha1 against sha1. If it did not match,
fetch-pack would abort. But I was wrong because fetch-pack would send
a few have lines before receiving the first ack (which carries sha1
of some 'have' line in the middle, not the last 'have'). I'd leave it
here if anyone wants to tackle it.
builtin/fetch-pack.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/builtin/fetch-pack.c b/builtin/fetch-pack.c
index 4367984..561f1a3 100644
--- a/builtin/fetch-pack.c
+++ b/builtin/fetch-pack.c
@@ -395,6 +395,9 @@ static int find_common(int fd[2], unsigned char *result_sha1,
case ACK_continue: {
struct commit *commit =
lookup_commit(result_sha1);
+ if (!commit)
+ die("server ACK contained unknown commit %s",
+ sha1_to_hex(result_sha1));
if (args.stateless_rpc
&& ack == ACK_common
&& !(commit->object.flags & COMMON)) {
--
1.7.4.74.g639db
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html