missing length check in got_path_is

From:: Stefan Sperling <stsp@stsp.name>
Subject:: missing length check in got_path_is_child()
To:: gameoftrees@openbsd.org
Date:: Wed, 11 May 2022 16:05:33 +0200

Download raw body.

Thread

2022-05-11 14:05 Stefan Sperling:
missing length check in got_path_is_child()
- 2022-05-11 14:22 Theo Buehler:
  missing length check in got_path_is_child()
- - 2022-05-11 19:00 Stefan Sperling:
    missing length check in got_path_is_child()

If the child path is a NUL-terminated C string shorter than the parent
path, and the child path matches the parent path up the child's end,
then we end up with an out-of-bounds read.

It might be possible to trigger this in got-fetch-pack where a reference
name provided by the server gets passed to got_path_is_child(), but only
if the -R option is passed to 'got clone' or 'got fetch'.

All other callers seem to be passing in locally generated path data.
(Unless perhaps if the file index is corrupt or malicious, but then
you already have bigger problems than this.)

ok?

diff 6d9c73d72e43db5dfe560cade0a61eed638b45d0 /home/stsp/src/got
blob - d0ec896bd7350a9da6048dc4c9ee1020412b2d56
file + lib/path.c
--- lib/path.c
+++ lib/path.c
@@ -159,7 +159,8 @@ got_path_is_child(const char *child, const char *paren
 	if (parent_len == 0 || got_path_is_root_dir(parent))
 		return 1;
 
-	if (strncmp(parent, child, parent_len) != 0)
+	if (strlen(child) < parent_len ||
+	    strncmp(parent, child, parent_len) != 0)
 		return 0;
 	if (child[parent_len] != '/')
 		return 0;

2022-05-11 14:05 Stefan Sperling:
missing length check in got_path_is_child()
- 2022-05-11 14:22 Theo Buehler:
  missing length check in got_path_is_child()
- - 2022-05-11 19:00 Stefan Sperling:
    missing length check in got_path_is_child()