transports: smart: abort on early end of stream #3983
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When reading a server's reference announcements via the smart protocol, we expect the server to send multiple flushes before the protocol is finished. If we fail to receive new data from the socket, we will only return an end of stream error if we have not seen any flush yet. This logic is flawed in that we may run into an infinite loop when receiving a server's reference announcement with a bogus flush packet. E.g. assume the last flushing package is changed to not be '0000' but instead any other value. In this case, we will still await one more flush package and ignore the fact that we are not receiving any data from the socket, causing an infinite loop. Fix the issue by always returning `GIT_EEOF` if the socket indicates an end of stream.
When trying to receive packets from the remote, we loop until either an error distinct to `GIT_EBUFS` occurs or until we successfully parsed the packet. This does not honor the case where we are looping over an already closed socket which has no more data, leaving us in an infinite loop if we got a bogus packet size or if the remote hang up. Fix the issue by returning `GIT_EEOF` when we cannot read data from the socket anymore.
f27997d to
62494bf
Compare
|
Got another case where we were looping endlessly in search for additional data. |
|
Any comments on this PR? I don't feel like just merging it without anybody else having a look at it, but I feel like this PR should be merged due to its possible security implications. |
|
This makes sense. I suspect the code was trying to handle the case where it times out before reading, but we don't actually do that currently, so we should indeed consider a |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I've started playing around with mitmproxy to test our online protocol and was able to force libgit2 into an infinite loop on first try. The issue occurs if we fetch from a remote via the smart protocol if the last flush packet from the remote is modified.
This PR fixes the infinite loop. I'm actually not sure why we only returned an EOF before when
flush == 0, I couldn't find any reason here. One thing I could imagine is that we actually wanted to return0if the last received packet was actually a flush packet and the socket returned EOF so that we wouldn't produce an error if we received less flushes than expected. But we actually only use the function once and only check if the return code was an error, so we wouldn't handle positive values (e.g. there are outstanding flushes).Yeah, so I'm quite clueless here. Anyway, the issue obviously requires a fix as it's remotely exploitable, so I'm putting this up for discussion here.