Description |
Each packet line in the Git protocol is prefixed by a four-byte length of how much data will follow, which we parse in `git_pkt_parse_line`. The transmitted length can either be equal to zero in case of a flush packet or has to be at least of length four, as it also includes the encoded length itself. Not checking this may result in a buffer overflow as it directly passes the length to functions which accept a `size_t` length as parameter.
The issue is fixed by verifying that non-flush packets have at least a length of `PKT_LEN_SIZE`. |