Skip to content

signature: fix out-of-bounds read when parsing timezone offset#4883

Merged
pks-t merged 1 commit intolibgit2:masterfrom
pks-t:pks/signature-tz-oob
Nov 13, 2018
Merged

signature: fix out-of-bounds read when parsing timezone offset#4883
pks-t merged 1 commit intolibgit2:masterfrom
pks-t:pks/signature-tz-oob

Conversation

@pks-t
Copy link
Member

@pks-t pks-t commented Nov 9, 2018

When parsing a signature's timezone offset, we first check whether there
is a timezone at all by verifying that there are still bytes left to
read following the time itself. The check thus looks like time_end + 1 < buffer_end, which is actually correct in this case. After setting the
timezone's start pointer to that location, we compute the remaining
bytes by using the formula buffer_end - tz_start + 1, re-using the
previous time_end + 1. But this is in fact missing the braces around
(tz_start + 1), thus leading to an overestimation of the remaining
bytes by a length of two. In case of a non-NUL terminated buffer, this
will result in an overflow.

The function git_signature__parse is only used in two locations. First
is git_signature_from_buffer, which only accepts a string without a
length. The string thus necessarily has to be NUL terminated and cannot
trigger the issue.

The other function is git_commit__parse_raw, which can in fact trigger
the error as it may receive non-NUL terminated commit data. But as
objects read from the ODB are always NUL-terminated by us as a
cautionary measure, it cannot trigger the issue either.

In other words, this error does not have any impact on security.

@pks-t
signature: fix out-of-bounds read when parsing timezone offset
52f859f 
When parsing a signature's timezone offset, we first check whether there
is a timezone at all by verifying that there are still bytes left to
read following the time itself. The check thus looks like `time_end + 1
< buffer_end`, which is actually correct in this case. After setting the
timezone's start pointer to that location, we compute the remaining
bytes by using the formula `buffer_end - tz_start + 1`, re-using the
previous `time_end + 1`. But this is in fact missing the braces around
`(tz_start + 1)`, thus leading to an overestimation of the remaining
bytes by a length of two. In case of a non-NUL terminated buffer, this
will result in an overflow.

The function `git_signature__parse` is only used in two locations. First
is `git_signature_from_buffer`, which only accepts a string without a
length. The string thus necessarily has to be NUL terminated and cannot
trigger the issue.

The other function is `git_commit__parse_raw`, which can in fact trigger
the error as it may receive non-NUL terminated commit data. But as
objects read from the ODB are always NUL-terminated by us as a
cautionary measure, it cannot trigger the issue either.

In other words, this error does not have any impact on security.
@pks-t
Copy link
Member Author

pks-t commented Nov 13, 2018

/rebuild

@libgit2-azure-pipelines
Copy link

libgit2-azure-pipelines bot commented Nov 13, 2018

Okay, @pks-t, I started to rebuild this pull request.

@pks-t
Copy link
Member Author

pks-t commented Nov 13, 2018

/rebuild

@libgit2-azure-pipelines
Copy link

libgit2-azure-pipelines bot commented Nov 13, 2018

Okay, @pks-t, I started to rebuild this pull request.

@pks-t
Copy link
Member Author

pks-t commented Nov 13, 2018

online::badssl is hitting again :/

@pks-t pks-t merged commit cf83809 into libgit2:master Nov 13, 2018
@pks-t pks-t deleted the pks/signature-tz-oob branch November 13, 2018 13:29
@snyk-bot snyk-bot mentioned this pull request Feb 23, 2020
Open
@snyk-bot snyk-bot mentioned this pull request Apr 22, 2020
Open
@snyk-bot snyk-bot mentioned this pull request May 5, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pks-t