commit - 38c670f14feb46a50c367924ad72f88dddfbad01
commit + 4dc8ee099c58807be7ed93940d6209c44cc4729a
blob - e593a8ed5db8f3e51ad09cbd00486332aef60259
blob + 8ce243b9a22fbe36868976dc8ed6fd9eabf050ba
--- libexec/got-fetch-pack/got-fetch-pack.c
+++ libexec/got-fetch-pack/got-fetch-pack.c
readpkt(int *outlen, int fd, char *buf, int nbuf)
{
const struct got_error *err = NULL;
- char len[5];
+ char lenstr[5];
+ long len;
char *e;
int n;
ssize_t r;
*outlen = 0;
- err = readn(&r, fd, len, 4);
+ err = readn(&r, fd, lenstr, 4);
if (err)
return err;
+ if (r != 4)
+ return got_error(GOT_ERR_IO);
- len[4] = 0;
- n = strtol(len, &e, 16);
+ lenstr[4] = '\0';
+ errno = 0;
+ len = strtol(lenstr, &e, 16);
+ if (lenstr[0] == '\0' || *e != '\0')
+ return got_error(GOT_ERR_BAD_PACKET);
+ if (errno == ERANGE && (len == LONG_MAX || len == LONG_MIN))
+ return got_error(GOT_ERR_BAD_PACKET);
+ if (len > INT_MAX || len < INT_MIN)
+ return got_error(GOT_ERR_BAD_PACKET);
+ n = len;
if (n == 0) {
if (chattygit)
fprintf(stderr, "readpkt: 0000\n");
return NULL;
}
- if (e != len + 4 || n <= 4)
+ if (n <= 4)
return got_error(GOT_ERR_BAD_PACKET);
n -= 4;
if (n >= nbuf)
return got_error(GOT_ERR_BAD_PACKET);
buf[n] = 0;
if (chattygit)
- fprintf(stderr, "readpkt: %s:\t%.*s\n", len, nbuf, buf);
+ fprintf(stderr, "readpkt: %s:\t%.*s\n", lenstr, nbuf, buf);
*outlen = n;
return NULL;
