From: Antoine Pelisse <apelisse@gmail.com>
To: git@vger.kernel.org, Junio C Hamano <gitster@pobox.com>
Cc: Antoine Pelisse <apelisse@gmail.com>
Subject: [PATCH] Prevent buffer overflows when path is too long
Date: Sat, 14 Dec 2013 12:31:16 +0100 [thread overview]
Message-ID: <1387020676-5569-1-git-send-email-apelisse@gmail.com> (raw)
In-Reply-To: <xmqqwqjvuelv.fsf@gitster.dls.corp.google.com>
Some buffers created with PATH_MAX length are not checked when being
written, and can overflow if PATH_MAX is not big enough to hold the
path.
Replace those buffers by strbufs so that their size is automatically
grown if necessary. They are created as static local variables to avoid
reallocating memory on each call. Note that prefix_filename() returns
this static buffer so each callers should copy or use the string
immediately (this is currently true).
Reported-by: Wataru Noguchi <wnoguchi.0727@gmail.com>
Signed-off-by: Antoine Pelisse <apelisse@gmail.com>
---
abspath.c | 16 +++++++++-------
diffcore-order.c | 11 ++++++-----
unpack-trees.c | 51 +++++++++++++++++++++++++++------------------------
3 files changed, 42 insertions(+), 36 deletions(-)
diff --git a/abspath.c b/abspath.c
index e390994..9c908e3 100644
--- a/abspath.c
+++ b/abspath.c
@@ -215,23 +215,25 @@ const char *absolute_path(const char *path)
*/
const char *prefix_filename(const char *pfx, int pfx_len, const char *arg)
{
- static char path[PATH_MAX];
+ static struct strbuf path = STRBUF_INIT;
#ifndef GIT_WINDOWS_NATIVE
if (!pfx_len || is_absolute_path(arg))
return arg;
- memcpy(path, pfx, pfx_len);
- strcpy(path + pfx_len, arg);
+ strbuf_reset(&path);
+ strbuf_add(&path, pfx, pfx_len);
+ strbuf_addstr(&path, arg);
#else
char *p;
/* don't add prefix to absolute paths, but still replace '\' by '/' */
+ strbuf_reset(&path);
if (is_absolute_path(arg))
pfx_len = 0;
else if (pfx_len)
- memcpy(path, pfx, pfx_len);
- strcpy(path + pfx_len, arg);
- for (p = path + pfx_len; *p; p++)
+ strbuf_add(&path, pfx, pfx_len);
+ strbuf_addstr(&path, arg);
+ for (p = path.buf + pfx_len; *p; p++)
if (*p == '\\')
*p = '/';
#endif
- return path;
+ return path.buf;
}
diff --git a/diffcore-order.c b/diffcore-order.c
index 23e9385..50c089b 100644
--- a/diffcore-order.c
+++ b/diffcore-order.c
@@ -73,15 +73,16 @@ struct pair_order {
static int match_order(const char *path)
{
int i;
- char p[PATH_MAX];
+ static struct strbuf p = STRBUF_INIT;
for (i = 0; i < order_cnt; i++) {
- strcpy(p, path);
- while (p[0]) {
+ strbuf_reset(&p);
+ strbuf_addstr(&p, path);
+ while (p.buf[0]) {
char *cp;
- if (!fnmatch(order[i], p, 0))
+ if (!fnmatch(order[i], p.buf, 0))
return i;
- cp = strrchr(p, '/');
+ cp = strrchr(p.buf, '/');
if (!cp)
break;
*cp = 0;
diff --git a/unpack-trees.c b/unpack-trees.c
index ad3e9a0..164354d 100644
--- a/unpack-trees.c
+++ b/unpack-trees.c
@@ -830,23 +830,24 @@ static int unpack_callback(int n, unsigned long mask, unsigned long dirmask, str
}
static int clear_ce_flags_1(struct cache_entry **cache, int nr,
- char *prefix, int prefix_len,
+ struct strbuf *prefix,
int select_mask, int clear_mask,
struct exclude_list *el, int defval);
/* Whole directory matching */
static int clear_ce_flags_dir(struct cache_entry **cache, int nr,
- char *prefix, int prefix_len,
+ struct strbuf *prefix,
char *basename,
int select_mask, int clear_mask,
struct exclude_list *el, int defval)
{
struct cache_entry **cache_end;
int dtype = DT_DIR;
- int ret = is_excluded_from_list(prefix, prefix_len,
+ int ret = is_excluded_from_list(prefix->buf, prefix->len,
basename, &dtype, el);
+ int rc;
- prefix[prefix_len++] = '/';
+ strbuf_addch(prefix, '/');
/* If undecided, use matching result of parent dir in defval */
if (ret < 0)
@@ -854,7 +855,7 @@ static int clear_ce_flags_dir(struct cache_entry **cache, int nr,
for (cache_end = cache; cache_end != cache + nr; cache_end++) {
struct cache_entry *ce = *cache_end;
- if (strncmp(ce->name, prefix, prefix_len))
+ if (strncmp(ce->name, prefix->buf, prefix->len))
break;
}
@@ -865,10 +866,12 @@ static int clear_ce_flags_dir(struct cache_entry **cache, int nr,
* calling clear_ce_flags_1(). That function will call
* the expensive is_excluded_from_list() on every entry.
*/
- return clear_ce_flags_1(cache, cache_end - cache,
- prefix, prefix_len,
- select_mask, clear_mask,
- el, ret);
+ rc = clear_ce_flags_1(cache, cache_end - cache,
+ prefix,
+ select_mask, clear_mask,
+ el, ret);
+ strbuf_setlen(prefix, prefix->len - 1);
+ return rc;
}
/*
@@ -887,7 +890,7 @@ static int clear_ce_flags_dir(struct cache_entry **cache, int nr,
* Top level path has prefix_len zero.
*/
static int clear_ce_flags_1(struct cache_entry **cache, int nr,
- char *prefix, int prefix_len,
+ struct strbuf *prefix,
int select_mask, int clear_mask,
struct exclude_list *el, int defval)
{
@@ -907,10 +910,10 @@ static int clear_ce_flags_1(struct cache_entry **cache, int nr,
continue;
}
- if (prefix_len && strncmp(ce->name, prefix, prefix_len))
+ if (prefix->len && strncmp(ce->name, prefix->buf, prefix->len))
break;
- name = ce->name + prefix_len;
+ name = ce->name + prefix->len;
slash = strchr(name, '/');
/* If it's a directory, try whole directory match first */
@@ -918,29 +921,26 @@ static int clear_ce_flags_1(struct cache_entry **cache, int nr,
int processed;
len = slash - name;
- memcpy(prefix + prefix_len, name, len);
+ strbuf_add(prefix, name, len);
- /*
- * terminate the string (no trailing slash),
- * clear_c_f_dir needs it
- */
- prefix[prefix_len + len] = '\0';
processed = clear_ce_flags_dir(cache, cache_end - cache,
- prefix, prefix_len + len,
- prefix + prefix_len,
+ prefix,
+ prefix->buf + prefix->len - len,
select_mask, clear_mask,
el, defval);
/* clear_c_f_dir eats a whole dir already? */
if (processed) {
cache += processed;
+ strbuf_setlen(prefix, prefix->len - len);
continue;
}
- prefix[prefix_len + len++] = '/';
+ strbuf_addch(prefix, '/');
cache += clear_ce_flags_1(cache, cache_end - cache,
- prefix, prefix_len + len,
+ prefix,
select_mask, clear_mask, el, defval);
+ strbuf_setlen(prefix, prefix->len - len - 1);
continue;
}
@@ -961,9 +961,12 @@ static int clear_ce_flags(struct cache_entry **cache, int nr,
int select_mask, int clear_mask,
struct exclude_list *el)
{
- char prefix[PATH_MAX];
+ static struct strbuf prefix = STRBUF_INIT;
+
+ strbuf_reset(&prefix);
+
return clear_ce_flags_1(cache, nr,
- prefix, 0,
+ &prefix,
select_mask, clear_mask,
el, 0);
}
--
1.8.5.1.94.g19422b2
prev parent reply other threads:[~2013-12-14 11:31 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-28 21:17 [PATCH] mingw-multibyte: fix memory acces violation and path length limits Wataru Noguchi
2013-09-28 23:18 ` Johannes Schindelin
2013-09-29 2:56 ` Wataru Noguchi
2013-09-29 11:01 ` [msysGit] " Stefan Beller
2013-10-01 13:37 ` Wataru Noguchi
2013-09-30 17:00 ` René Scharfe
2013-09-30 21:02 ` Erik Faye-Lund
2013-10-01 13:35 ` Wataru Noguchi
2013-10-02 22:26 ` Wataru Noguchi
2013-10-03 17:25 ` Antoine Pelisse
2013-10-03 17:36 ` Erik Faye-Lund
2013-10-05 11:39 ` Wataru Noguchi
2013-10-19 10:52 ` [PATCH] Prevent buffer overflows when path is too big Antoine Pelisse
2013-10-20 5:47 ` Torsten Bögershausen
2013-10-20 6:05 ` [msysGit] " Ondřej Bílka
2013-10-20 6:27 ` Torsten Bögershausen
2013-10-20 7:39 ` [msysGit] " Ondřej Bílka
2013-10-20 10:33 ` Duy Nguyen
2013-10-20 17:57 ` Antoine Pelisse
2013-10-21 1:31 ` Duy Nguyen
2013-10-21 19:02 ` Johannes Sixt
2013-10-21 19:07 ` Erik Faye-Lund
2013-10-21 19:14 ` Jeff King
2013-10-21 19:32 ` Jeff King
2013-10-23 12:55 ` [PATCH 1/2] entry.c: convert checkout_entry to use strbuf Nguyễn Thái Ngọc Duy
2013-10-23 12:55 ` [PATCH 2/2] entry.c: convert write_entry " Nguyễn Thái Ngọc Duy
2013-10-23 17:52 ` Junio C Hamano
2013-10-24 1:23 ` Duy Nguyen
2013-10-24 19:49 ` Junio C Hamano
2013-10-24 23:47 ` Duy Nguyen
2013-10-23 12:58 ` [PATCH 1/2] entry.c: convert checkout_entry " Antoine Pelisse
2013-10-23 13:04 ` Duy Nguyen
2013-10-23 13:06 ` Antoine Pelisse
2013-10-23 17:29 ` Jeff King
2013-10-23 17:34 ` Erik Faye-Lund
2013-10-23 17:52 ` Jeff King
2013-10-23 18:09 ` Junio C Hamano
2013-10-23 18:10 ` Jeff King
2013-10-24 1:55 ` [PATCH v2] " Nguyễn Thái Ngọc Duy
2013-10-23 12:55 ` [PATCH] Prevent buffer overflows when path is too big Duy Nguyen
2013-11-26 18:39 ` [PATCH] Prevent buffer overflows when path is too long Antoine Pelisse
2013-11-26 19:50 ` Junio C Hamano
2013-11-29 12:12 ` Antoine Pelisse
2013-12-14 11:31 ` Antoine Pelisse [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1387020676-5569-1-git-send-email-apelisse@gmail.com \
--to=apelisse@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).