From: Stefan Sperling Subject: missing length check in got_path_is_child() To: gameoftrees@openbsd.org Date: Wed, 11 May 2022 16:05:33 +0200 If the child path is a NUL-terminated C string shorter than the parent path, and the child path matches the parent path up the child's end, then we end up with an out-of-bounds read. It might be possible to trigger this in got-fetch-pack where a reference name provided by the server gets passed to got_path_is_child(), but only if the -R option is passed to 'got clone' or 'got fetch'. All other callers seem to be passing in locally generated path data. (Unless perhaps if the file index is corrupt or malicious, but then you already have bigger problems than this.) ok? diff 6d9c73d72e43db5dfe560cade0a61eed638b45d0 /home/stsp/src/got blob - d0ec896bd7350a9da6048dc4c9ee1020412b2d56 file + lib/path.c --- lib/path.c +++ lib/path.c @@ -159,7 +159,8 @@ got_path_is_child(const char *child, const char *paren if (parent_len == 0 || got_path_is_root_dir(parent)) return 1; - if (strncmp(parent, child, parent_len) != 0) + if (strlen(child) < parent_len || + strncmp(parent, child, parent_len) != 0) return 0; if (child[parent_len] != '/') return 0;