commit 54d1a70f7c4cc24dd91d7f73a5fbd5aa6f6f97d9
from: Stefan Sperling <stsp@stsp.name>
date: Wed Mar 18 16:11:31 2020 UTC

verify that length string read from packet contains hex digits only

commit - 4dc8ee099c58807be7ed93940d6209c44cc4729a
commit + 54d1a70f7c4cc24dd91d7f73a5fbd5aa6f6f97d9
blob - 8ce243b9a22fbe36868976dc8ed6fd9eabf050ba
blob + d6afe7dc9203acfae069ac340451fcf29b2e7377
--- libexec/got-fetch-pack/got-fetch-pack.c
+++ libexec/got-fetch-pack/got-fetch-pack.c
@@ -99,7 +99,7 @@ readpkt(int *outlen, int fd, char *buf, int nbuf)
 	char lenstr[5];
 	long len;
 	char *e;
-	int n;
+	int n, i;
 	ssize_t r;
 
 	*outlen = 0;
@@ -111,6 +111,10 @@ readpkt(int *outlen, int fd, char *buf, int nbuf)
 		return got_error(GOT_ERR_IO);
 
 	lenstr[4] = '\0';
+	for (i = 0; i < 4; i++) {
+		if (!isxdigit(lenstr[i]))
+			return got_error(GOT_ERR_BAD_PACKET);
+	}
 	errno = 0;
 	len = strtol(lenstr, &e, 16);
 	if (lenstr[0] == '\0' || *e != '\0')