On Wed, Sep 15, 2021 at 02:25:49AM +0200, Ævar Arnfjörð Bjarmason wrote: > On Tue, Sep 14 2021, Jeff King wrote: > > > While looking at [1], I noticed that v2 servers will read a few bits of > > client input into strvecs. Even though we expect these to be small-ish, > > there's nothing preventing a client from sending us a bunch of junk and > > wasting memory. > > [...] > > > > > [1] https://lore.kernel.org/git/YT54CNYgtGcqexwq@xxxxxxxxxxxxxxxxxxxxxxx/ > > When I first read this I expected it to be a link to > https://lore.kernel.org/git/YPCsDLoiiAG%2FC%2Fft@xxxxxxxxxxxxxxxxxxxxxxx/; > i.e. that the object-info leak discussion back in July had encouraged > you to work on this ... :) Nope, I got terrified by the "yes | upload-pack" example I showed earlier. :) I was really worried it could turn into a heap overflow, but it turns out that it cannot. But I still think tightening things up (and avoiding any memory-consumption attacks) is worth doing. -Peff
