transport: safely handle messages with no caps

ethomson · ethomson · commit d298b0298a01 · 2024-01-12T10:25:06.000Z
If there are no caps, don't try to advance past the first NULL to look
for object-format. This prevents a possible out-of-bounds read.
diff --git a/src/libgit2/transports/smart_pkt.c b/src/libgit2/transports/smart_pkt.c
@@ -232,7 +232,8 @@ static int set_data(
 
 	GIT_ASSERT_ARG(data);
 
-	if ((caps = memchr(line, '\0', len)) != NULL) {
+	if ((caps = memchr(line, '\0', len)) != NULL &&
+	    len > (size_t)((caps - line) + 1)) {
 		caps++;
 
 		if (strncmp(caps, "object-format=", CONST_STRLEN("object-format=")) == 0)
