From: Jeff King Date: Thu, 8 Sep 2022 04:57:29 +0000 (-0400) Subject: transport: deep-copy object-filter struct for fetch-pack X-Git-Tag: v2.38.0-rc0~6^2~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f0e86a158e85de20537e8b2c8531d09802433ba;p=thirdparty%2Fgit.git transport: deep-copy object-filter struct for fetch-pack When the transport code for the git protocol calls into fetch_pack(), it has to fill out a fetch_pack_args struct that is mostly taken from the transport options. We pass along any object-filter data by doing a struct assignment of the list_objects_filter_options struct. But doing so isn't safe; it contains allocated pointers in its filter_spec string_list, which could lead to a double-free if one side mutates or frees the string_list. And indeed, the fetch-pack code does clear and rewrite the list via expand_list_objects_filter_spec(), leaving the transport code with dangling pointers. This hasn't been a problem so far, though, because the transport code doesn't look further at the filter struct. But it should, because in some cases (when fetch-pack doesn't rewrite the list), it ends up leaking the string_list. So let's start by turning this shallow copy into a deep one, which should let us fix the transport leak in a subsequent patch. Likewise, we'll free the deep copy we made here when we're done with it (to avoid leaking). Note that it would also work to pass fetch-pack a pointer to our filter struct, rather than a copy. But it's awkward for fetch-pack to take a pointer in its arg struct; the actual git-fetch-pack command allocates a fetch_pack_args struct on the stack and expects it to contain the filter options. It could be rewritten to avoid this, but a deep copy serves our purposes just as well. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- diff --git a/transport.c b/transport.c index b51e991e44..24540f642a 100644 --- a/transport.c +++ b/transport.c @@ -386,7 +386,8 @@ static int fetch_refs_via_pack(struct transport *transport, args.cloning = transport->cloning; args.update_shallow = data->options.update_shallow; args.from_promisor = data->options.from_promisor; - args.filter_options = data->options.filter_options; + list_objects_filter_copy(&args.filter_options, + &data->options.filter_options); args.refetch = data->options.refetch; args.stateless_rpc = transport->stateless_rpc; args.server_options = transport->server_options; @@ -453,6 +454,7 @@ cleanup: free_refs(refs_tmp); free_refs(refs); + list_objects_filter_release(&args.filter_options); return ret; }