From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Cc: "René Scharfe" <l.s.r@web.de>, "SZEDER Gábor" <szeder.dev@gmail.com>
Subject: [PATCH v2 08/13] server-info: fix blind pointer arithmetic
Date: Fri, 5 Apr 2019 14:13:10 -0400 [thread overview]
Message-ID: <20190405181310.GH32243@sigill.intra.peff.net> (raw)
In-Reply-To: <20190405180306.GA21113@sigill.intra.peff.net>
When we're writing out a new objects/info/packs file, we read back the
old one to try to keep the ordering the same. When we see a line
starting with "P", we expect "P pack-1234..." and blindly jump to "line
+ 2" to parse the pack name. If we saw a line with _just_ "P" and
nothing else, we'd jump past the end of the buffer and start reading
arbitrary memory.
This shouldn't be a big attack vector, as the files are local to the
repository and written by us, but it's clearly worth fixing (we do read
remote copies of the file for dumb-http fetches, but using a totally
different parser!).
Let's instead use skip_prefix() here, which avoids pointer arithmetic
altogether. Note that this converts our switch statement to an if/else
chain, making it slightly more verbose. But it will also make it easier
to do a few follow-on cleanups.
Signed-off-by: Jeff King <peff@peff.net>
---
server-info.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/server-info.c b/server-info.c
index e2b2d6a27a..b61a6be4c2 100644
--- a/server-info.c
+++ b/server-info.c
@@ -112,9 +112,9 @@ static struct pack_info *find_pack_by_name(const char *name)
/* Returns non-zero when we detect that the info in the
* old file is useless.
*/
-static int parse_pack_def(const char *line, int old_cnt)
+static int parse_pack_def(const char *packname, int old_cnt)
{
- struct pack_info *i = find_pack_by_name(line + 2);
+ struct pack_info *i = find_pack_by_name(packname);
if (i) {
i->old_num = old_cnt;
return 0;
@@ -139,24 +139,26 @@ static int read_pack_info_file(const char *infofile)
return 1; /* nonexistent is not an error. */
while (fgets(line, sizeof(line), fp)) {
+ const char *arg;
int len = strlen(line);
if (len && line[len-1] == '\n')
line[--len] = 0;
if (!len)
continue;
- switch (line[0]) {
- case 'P': /* P name */
- if (parse_pack_def(line, old_cnt++))
+ if (skip_prefix(line, "P ", &arg)) {
+ /* P name */
+ if (parse_pack_def(arg, old_cnt++))
goto out_stale;
- break;
- case 'D': /* we used to emit D but that was misguided. */
- case 'T': /* we used to emit T but nobody uses it. */
+ } else if (line[0] == 'D') {
+ /* we used to emit D but that was misguided. */
goto out_stale;
- default:
+ } else if (line[0] == 'T') {
+ /* we used to emit T but nobody uses it. */
+ goto out_stale;
+ } else {
error("unrecognized: %s", line);
- break;
}
}
fclose(fp);
--
2.21.0.729.g7d31bf3764
next prev parent reply other threads:[~2019-04-05 18:13 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-04 23:21 [PATCH 0/12] a rabbit hole of update-server-info fixes Jeff King
2019-04-04 23:22 ` [PATCH 01/12] t5319: fix bogus cat-file argument Jeff King
2019-04-05 0:44 ` Ramsay Jones
2019-04-05 1:41 ` Jeff King
2019-04-05 1:46 ` Jeff King
2019-04-04 23:22 ` [PATCH 02/12] t5319: drop useless --buffer from cat-file Jeff King
2019-04-04 23:22 ` [PATCH 03/12] packfile: factor out .pack to .idx name conversion Jeff King
2019-04-04 23:25 ` [PATCH 04/12] packfile: check midx coverage with .idx rather than .pack Jeff King
2019-04-05 8:05 ` René Scharfe
2019-04-05 13:21 ` Jeff King
2019-04-05 13:30 ` Jeff King
2019-04-05 12:01 ` SZEDER Gábor
2019-04-05 13:40 ` Jeff King
2019-04-04 23:27 ` [PATCH 05/12] http: simplify parsing of remote objects/info/packs Jeff King
2019-04-05 10:41 ` René Scharfe
2019-04-05 18:11 ` Jeff King
2019-04-05 20:17 ` René Scharfe
2019-04-04 23:27 ` [PATCH 06/12] server-info: fix blind pointer arithmetic Jeff King
2019-04-04 23:28 ` [PATCH 07/12] server-info: simplify cleanup in parse_pack_def() Jeff King
2019-04-04 23:28 ` [PATCH 08/12] server-info: use strbuf to read old info/packs file Jeff King
2019-04-04 23:29 ` [PATCH 09/12] server-info: drop nr_alloc struct member Jeff King
2019-04-04 23:30 ` [PATCH 10/12] packfile.h: drop extern from function declarations Jeff King
2019-04-04 23:30 ` [PATCH 11/12] server-info: drop objdirlen pointer arithmetic Jeff King
2019-04-04 23:31 ` [PATCH 12/12] update_info_refs(): drop unused force parameter Jeff King
2019-04-05 5:46 ` [PATCH 0/12] a rabbit hole of update-server-info fixes Junio C Hamano
2019-04-05 18:03 ` [PATCH v2 0/13] a rabbit hole of update-server-info (and midx!) fixes Jeff King
2019-04-05 18:03 ` [PATCH v2 01/13] packfile.h: drop extern from function declarations Jeff King
2019-04-05 19:19 ` Ramsay Jones
2019-04-05 19:25 ` Jeff King
2019-04-08 5:13 ` Junio C Hamano
2019-04-08 20:32 ` Jeff King
2019-04-09 15:08 ` Junio C Hamano
2019-04-09 15:15 ` Jeff King
2019-04-05 18:04 ` [PATCH v2 02/13] pack-revindex: open index if necessary Jeff King
2019-04-05 18:04 ` [PATCH v2 03/13] t5319: fix bogus cat-file argument Jeff King
2019-04-05 18:05 ` [PATCH v2 04/13] t5319: drop useless --buffer from cat-file Jeff King
2019-04-05 18:06 ` [PATCH v2 05/13] midx: check both pack and index names for containment Jeff King
2019-04-05 20:18 ` René Scharfe
2019-04-05 18:06 ` [PATCH v2 06/13] packfile: fix pack basename computation Jeff King
2019-04-05 18:12 ` [PATCH v2 07/13] http: simplify parsing of remote objects/info/packs Jeff King
2019-04-05 18:13 ` Jeff King [this message]
2019-04-05 18:13 ` [PATCH v2 09/13] server-info: simplify cleanup in parse_pack_def() Jeff King
2019-04-05 18:16 ` Jeff King
2019-04-05 18:13 ` [PATCH v2 10/13] server-info: use strbuf to read old info/packs file Jeff King
2019-04-05 18:14 ` [PATCH v2 11/13] server-info: drop nr_alloc struct member Jeff King
2019-04-05 18:14 ` [PATCH v2 12/13] server-info: drop objdirlen pointer arithmetic Jeff King
2019-04-05 18:14 ` [PATCH v2 13/13] update_info_refs(): drop unused force parameter Jeff King
2019-04-05 18:19 ` [PATCH v2 0/13] a rabbit hole of update-server-info (and midx!) fixes Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190405181310.GH32243@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=l.s.r@web.de \
--cc=szeder.dev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).