diff options
author | Taylor Blau <me@ttaylorr.com> | 2020-12-03 13:55:18 -0500 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2020-12-03 12:42:33 -0800 |
commit | 8d133f500a5390a089988141cdec8154a732764d (patch) | |
tree | 3f22e88f7696eda19ad92285c66a53ad75b6c5e3 /fuzz-pack-headers.c | |
parent | builtin/clone.c: don't ignore transport_fetch_refs() errors (diff) | |
download | tgif-8d133f500a5390a089988141cdec8154a732764d.tar.xz |
upload-pack.c: don't free allowed_filters util pointers
To keep track of which object filters are allowed or not, 'git
upload-pack' stores the name of each filter in a string_list, and sets
it ->util pointer to be either 0 or 1, indicating whether it is banned
or allowed.
Later on, we attempt to clear that list, but we incorrectly ask for the
util pointers to be free()'d, too. This behavior (introduced back in
6dd3456a8c (upload-pack.c: allow banning certain object filter(s),
2020-08-03)) leads to an invalid free, and causes us to crash.
In order to trigger this, one needs to fetch from a server that (a) has
at least one object filter allowed, and (b) issue a fetch that contains
a subset of the allowed filters (i.e., we cannot ask for a banned
filter, since this causes us to die() before we hit the bogus
string_list_clear()).
In that case, whatever banned filters exist will cause a noop free()
(since those ->util pointers are set to 0), but the first allowed filter
we try to free will crash us.
We never noticed this in the tests because we didn't have an example of
setting 'uploadPackFilter' configuration variables and then following up
with a valid fetch. The first new 'git clone' prevents further
regression here. For good measure on top, add a test which checks the
same behavior at a tree depth greater than 0.
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'fuzz-pack-headers.c')
0 files changed, 0 insertions, 0 deletions