From: Antoine Pelisse <apelisse@gmail.com>
To: git@vger.kernel.org
Cc: "Wataru Noguchi" <wnoguchi.0727@gmail.com>,
"Erik Faye-Lund" <kusmabite@gmail.com>,
"Johannes Schindelin" <Johannes.Schindelin@gmx.de>,
"René Scharfe" <l.s.r@web.de>, msysGit <msysgit@googlegroups.com>,
"Antoine Pelisse" <apelisse@gmail.com>
Subject: [PATCH] Prevent buffer overflows when path is too big
Date: Sat, 19 Oct 2013 12:52:34 +0200 [thread overview]
Message-ID: <1382179954-5169-1-git-send-email-apelisse@gmail.com> (raw)
In-Reply-To: <CABPQNSaqjKPGAQ4EKBSk+bQP2WMksc6M0YQxSkB91UrnFF28xQ@mail.gmail.com>
Currently, most buffers created with PATH_MAX length, are not checked
when being written, and can overflow if PATH_MAX is not big enough to
hold the path.
Fix that by using strlcpy() where strcpy() was used, and also run some
extra checks when copy is done with memcpy().
Reported-by: Wataru Noguchi <wnoguchi.0727@gmail.com>
Signed-off-by: Antoine Pelisse <apelisse@gmail.com>
---
abspath.c | 10 +++++++---
diffcore-order.c | 2 +-
entry.c | 14 ++++++++++----
unpack-trees.c | 2 ++
4 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/abspath.c b/abspath.c
index 64adbe2..0e60ba4 100644
--- a/abspath.c
+++ b/abspath.c
@@ -216,11 +216,15 @@ const char *absolute_path(const char *path)
const char *prefix_filename(const char *pfx, int pfx_len, const char *arg)
{
static char path[PATH_MAX];
+
+ if (pfx_len > PATH_MAX)
+ die("Too long prefix path: %s", pfx);
+
#ifndef GIT_WINDOWS_NATIVE
if (!pfx_len || is_absolute_path(arg))
return arg;
memcpy(path, pfx, pfx_len);
- strcpy(path + pfx_len, arg);
+ strlcpy(path + pfx_len, arg, PATH_MAX - pfx_len);
#else
char *p;
/* don't add prefix to absolute paths, but still replace '\' by '/' */
@@ -228,8 +232,8 @@ const char *prefix_filename(const char *pfx, int pfx_len, const char *arg)
pfx_len = 0;
else if (pfx_len)
memcpy(path, pfx, pfx_len);
- strcpy(path + pfx_len, arg);
- for (p = path + pfx_len; *p; p++)
+ strlcpy(path + pfx_len, arg, PATH_MAX - pfx_len);
+ for (p = path + pfx_len; p < path + PATH_MAX && *p; p++)
if (*p == '\\')
*p = '/';
#endif
diff --git a/diffcore-order.c b/diffcore-order.c
index 23e9385..f083c82 100644
--- a/diffcore-order.c
+++ b/diffcore-order.c
@@ -76,7 +76,7 @@ static int match_order(const char *path)
char p[PATH_MAX];
for (i = 0; i < order_cnt; i++) {
- strcpy(p, path);
+ strlcpy(p, path, PATH_MAX);
while (p[0]) {
char *cp;
if (!fnmatch(order[i], p, 0))
diff --git a/entry.c b/entry.c
index acc892f..39bee42 100644
--- a/entry.c
+++ b/entry.c
@@ -50,17 +50,20 @@ static void remove_subtree(const char *path)
struct dirent *de;
char pathbuf[PATH_MAX];
char *name;
+ size_t pathlen;
if (!dir)
die_errno("cannot opendir '%s'", path);
- strcpy(pathbuf, path);
- name = pathbuf + strlen(path);
+ strlcpy(pathbuf, path, PATH_MAX);
+ pathlen = strlen(path);
+ name = pathbuf + pathlen;
*name++ = '/';
+ pathlen++;
while ((de = readdir(dir)) != NULL) {
struct stat st;
if (is_dot_or_dotdot(de->d_name))
continue;
- strcpy(name, de->d_name);
+ strlcpy(name, de->d_name, PATH_MAX - pathlen);
if (lstat(pathbuf, &st))
die_errno("cannot lstat '%s'", pathbuf);
if (S_ISDIR(st.st_mode))
@@ -244,8 +247,11 @@ int checkout_entry(struct cache_entry *ce,
if (topath)
return write_entry(ce, topath, state, 1);
+ if (len > PATH_MAX + 1)
+ die("Too long path: %s", state->base_dir);
+
memcpy(path, state->base_dir, len);
- strcpy(path + len, ce->name);
+ strlcpy(path + len, ce->name, PATH_MAX + 1 - len);
len += ce_namelen(ce);
if (!check_path(path, len, &st, state->base_dir_len)) {
diff --git a/unpack-trees.c b/unpack-trees.c
index 1a61e6f..85473b1 100644
--- a/unpack-trees.c
+++ b/unpack-trees.c
@@ -918,6 +918,8 @@ static int clear_ce_flags_1(struct cache_entry **cache, int nr,
int processed;
len = slash - name;
+ if (len + prefix_len >= PATH_MAX)
+ len = PATH_MAX - prefix_len - 1;
memcpy(prefix + prefix_len, name, len);
/*
--
1.8.4.1.507.g9768648.dirty
--
--
*** Please reply-to-all at all times ***
*** (do not pretend to know who is subscribed and who is not) ***
*** Please avoid top-posting. ***
The msysGit Wiki is here: https://github.com/msysgit/msysgit/wiki - Github accounts are free.
You received this message because you are subscribed to the Google
Groups "msysGit" group.
To post to this group, send email to msysgit@googlegroups.com
To unsubscribe from this group, send email to
msysgit+unsubscribe@googlegroups.com
For more options, and view previous threads, visit this group at
http://groups.google.com/group/msysgit?hl=en_US?hl=en
---
You received this message because you are subscribed to the Google Groups "msysGit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to msysgit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
next prev parent reply other threads:[~2013-10-19 10:53 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-28 21:17 [PATCH] mingw-multibyte: fix memory acces violation and path length limits Wataru Noguchi
2013-09-28 23:18 ` Johannes Schindelin
2013-09-29 2:56 ` Wataru Noguchi
2013-09-29 11:01 ` [msysGit] " Stefan Beller
2013-10-01 13:37 ` Wataru Noguchi
2013-09-30 17:00 ` René Scharfe
2013-09-30 21:02 ` Erik Faye-Lund
2013-10-01 13:35 ` Wataru Noguchi
2013-10-02 22:26 ` Wataru Noguchi
2013-10-03 17:25 ` Antoine Pelisse
2013-10-03 17:36 ` Erik Faye-Lund
2013-10-05 11:39 ` Wataru Noguchi
2013-10-19 10:52 ` Antoine Pelisse [this message]
2013-10-20 5:47 ` [PATCH] Prevent buffer overflows when path is too big Torsten Bögershausen
2013-10-20 6:05 ` [msysGit] " Ondřej Bílka
2013-10-20 6:27 ` Torsten Bögershausen
2013-10-20 7:39 ` [msysGit] " Ondřej Bílka
2013-10-20 10:33 ` Duy Nguyen
2013-10-20 17:57 ` Antoine Pelisse
2013-10-21 1:31 ` Duy Nguyen
2013-10-21 19:02 ` Johannes Sixt
2013-10-21 19:07 ` Erik Faye-Lund
2013-10-21 19:14 ` Jeff King
2013-10-21 19:32 ` Jeff King
2013-10-23 12:55 ` [PATCH 1/2] entry.c: convert checkout_entry to use strbuf Nguyễn Thái Ngọc Duy
2013-10-23 12:55 ` [PATCH 2/2] entry.c: convert write_entry " Nguyễn Thái Ngọc Duy
2013-10-23 17:52 ` Junio C Hamano
2013-10-24 1:23 ` Duy Nguyen
2013-10-24 19:49 ` Junio C Hamano
2013-10-24 23:47 ` Duy Nguyen
2013-10-23 12:58 ` [PATCH 1/2] entry.c: convert checkout_entry " Antoine Pelisse
2013-10-23 13:04 ` Duy Nguyen
2013-10-23 13:06 ` Antoine Pelisse
2013-10-23 17:29 ` Jeff King
2013-10-23 17:34 ` Erik Faye-Lund
2013-10-23 17:52 ` Jeff King
2013-10-23 18:09 ` Junio C Hamano
2013-10-23 18:10 ` Jeff King
2013-10-24 1:55 ` [PATCH v2] " Nguyễn Thái Ngọc Duy
2013-10-23 12:55 ` [PATCH] Prevent buffer overflows when path is too big Duy Nguyen
2013-11-26 18:39 ` [PATCH] Prevent buffer overflows when path is too long Antoine Pelisse
2013-11-26 19:50 ` Junio C Hamano
2013-11-29 12:12 ` Antoine Pelisse
2013-12-14 11:31 ` Antoine Pelisse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1382179954-5169-1-git-send-email-apelisse@gmail.com \
--to=apelisse@gmail.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=kusmabite@gmail.com \
--cc=l.s.r@web.de \
--cc=msysgit@googlegroups.com \
--cc=wnoguchi.0727@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).