From: Antoine Pelisse <apelisse@gmail.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: git <git@vger.kernel.org>, "Torsten Bögershausen" <tboegi@web.de>,
"Wataru Noguchi" <wnoguchi.0727@gmail.com>,
"Erik Faye-Lund" <kusmabite@gmail.com>,
"Johannes Schindelin" <Johannes.Schindelin@gmx.de>,
"René Scharfe" <l.s.r@web.de>, msysGit <msysgit@googlegroups.com>
Subject: Re: [PATCH] Prevent buffer overflows when path is too long
Date: Fri, 29 Nov 2013 13:12:02 +0100 [thread overview]
Message-ID: <CALWbr2wNNxkFrzxVvCzkQkm34M=6CiBvmnqjm+p73H1MoFoD7A@mail.gmail.com> (raw)
In-Reply-To: <xmqqwqjvuelv.fsf@gitster.dls.corp.google.com>
On Tue, Nov 26, 2013 at 8:50 PM, Junio C Hamano <gitster@pobox.com> wrote:
> Antoine Pelisse <apelisse@gmail.com> writes:
>
>> Some buffers created with PATH_MAX length are not checked when being
>> written, and can overflow if PATH_MAX is not big enough to hold the
>> path.
>
> Perhaps it is time to update all of them to use strbuf? The callers
> of prefix_filename() aren't that many, and all of them are prepared
> to stash the returned value away when they keep it longer term, so
> they would not notice if we used "static struct strbuf path" and
> gave back "path.buf" (without strbuf_detach() on it). The buffer
> used in clear_ce_flags() and passed to clear_ce_flags_{1,dir} are
> not seen outside the callchain, and can safely become strbuf, I
> think.
Let's do that, but shouldn't we also modify those that are currently
safe, like absolute_path() just above prefix_filename() ?
>> abspath.c | 10 ++++++++--
>> diffcore-order.c | 14 +++++++++-----
>> unpack-trees.c | 2 ++
>> 3 files changed, 19 insertions(+), 7 deletions(-)
>>
>> diff --git a/abspath.c b/abspath.c
>> index e390994..29a5f9d 100644
>> --- a/abspath.c
>> +++ b/abspath.c
>> @@ -216,11 +216,16 @@ const char *absolute_path(const char *path)
>> const char *prefix_filename(const char *pfx, int pfx_len, const char *arg)
>> {
>> static char path[PATH_MAX];
>> +
>> + if (pfx_len >= PATH_MAX)
>> + die("Too long prefix path: %s", pfx);
>
> I do not think this is needed, and will reject a valid input that
> used to be accepted (e.g. arg is absolute so pfx does not matter).
My mistake
>> - strcpy(path + pfx_len, arg);
>> + if (strlcpy(path + pfx_len, arg, PATH_MAX - pfx_len) > PATH_MAX)
>> + die("Too long path: %s", path);
>> for (p = path + pfx_len; *p; p++)
>> if (*p == '\\')
>> *p = '/';
>
> The above is curious. Unless we are doing the short-cut for "no
> prefix so we can just return arg" codepath, we know that the
> resulting length is always pfx_len + strlen(arg), no?
If you mean that the test should be more like the following:
+ if (strlcpy(path + pfx_len, arg, PATH_MAX - pfx_len) > PATH_MAX - pfx_len)
Then of course, you are right, that's my mistake.
--
--
*** Please reply-to-all at all times ***
*** (do not pretend to know who is subscribed and who is not) ***
*** Please avoid top-posting. ***
The msysGit Wiki is here: https://github.com/msysgit/msysgit/wiki - Github accounts are free.
You received this message because you are subscribed to the Google
Groups "msysGit" group.
To post to this group, send email to msysgit@googlegroups.com
To unsubscribe from this group, send email to
msysgit+unsubscribe@googlegroups.com
For more options, and view previous threads, visit this group at
http://groups.google.com/group/msysgit?hl=en_US?hl=en
---
You received this message because you are subscribed to the Google Groups "msysGit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to msysgit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
next prev parent reply other threads:[~2013-11-29 12:12 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-28 21:17 [PATCH] mingw-multibyte: fix memory acces violation and path length limits Wataru Noguchi
2013-09-28 23:18 ` Johannes Schindelin
2013-09-29 2:56 ` Wataru Noguchi
2013-09-29 11:01 ` [msysGit] " Stefan Beller
2013-10-01 13:37 ` Wataru Noguchi
2013-09-30 17:00 ` René Scharfe
2013-09-30 21:02 ` Erik Faye-Lund
2013-10-01 13:35 ` Wataru Noguchi
2013-10-02 22:26 ` Wataru Noguchi
2013-10-03 17:25 ` Antoine Pelisse
2013-10-03 17:36 ` Erik Faye-Lund
2013-10-05 11:39 ` Wataru Noguchi
2013-10-19 10:52 ` [PATCH] Prevent buffer overflows when path is too big Antoine Pelisse
2013-10-20 5:47 ` Torsten Bögershausen
2013-10-20 6:05 ` [msysGit] " Ondřej Bílka
2013-10-20 6:27 ` Torsten Bögershausen
2013-10-20 7:39 ` [msysGit] " Ondřej Bílka
2013-10-20 10:33 ` Duy Nguyen
2013-10-20 17:57 ` Antoine Pelisse
2013-10-21 1:31 ` Duy Nguyen
2013-10-21 19:02 ` Johannes Sixt
2013-10-21 19:07 ` Erik Faye-Lund
2013-10-21 19:14 ` Jeff King
2013-10-21 19:32 ` Jeff King
2013-10-23 12:55 ` [PATCH 1/2] entry.c: convert checkout_entry to use strbuf Nguyễn Thái Ngọc Duy
2013-10-23 12:55 ` [PATCH 2/2] entry.c: convert write_entry " Nguyễn Thái Ngọc Duy
2013-10-23 17:52 ` Junio C Hamano
2013-10-24 1:23 ` Duy Nguyen
2013-10-24 19:49 ` Junio C Hamano
2013-10-24 23:47 ` Duy Nguyen
2013-10-23 12:58 ` [PATCH 1/2] entry.c: convert checkout_entry " Antoine Pelisse
2013-10-23 13:04 ` Duy Nguyen
2013-10-23 13:06 ` Antoine Pelisse
2013-10-23 17:29 ` Jeff King
2013-10-23 17:34 ` Erik Faye-Lund
2013-10-23 17:52 ` Jeff King
2013-10-23 18:09 ` Junio C Hamano
2013-10-23 18:10 ` Jeff King
2013-10-24 1:55 ` [PATCH v2] " Nguyễn Thái Ngọc Duy
2013-10-23 12:55 ` [PATCH] Prevent buffer overflows when path is too big Duy Nguyen
2013-11-26 18:39 ` [PATCH] Prevent buffer overflows when path is too long Antoine Pelisse
2013-11-26 19:50 ` Junio C Hamano
2013-11-29 12:12 ` Antoine Pelisse [this message]
2013-12-14 11:31 ` Antoine Pelisse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALWbr2wNNxkFrzxVvCzkQkm34M=6CiBvmnqjm+p73H1MoFoD7A@mail.gmail.com' \
--to=apelisse@gmail.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=kusmabite@gmail.com \
--cc=l.s.r@web.de \
--cc=msysgit@googlegroups.com \
--cc=tboegi@web.de \
--cc=wnoguchi.0727@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).