From: Jeff King <peff@peff.net>
To: Eric Sunshine <sunshine@sunshineco.com>
Cc: "Junio C Hamano" <gitster@pobox.com>,
孟子易 <mengziyi540841@gmail.com>,
git@vger.kernel.org
Subject: [PATCH 1/3] shorten_unambiguous_ref(): avoid integer truncation
Date: Tue, 14 Feb 2023 13:39:41 -0500 [thread overview]
Message-ID: <Y+vVbdS79fZHRs6H@coredump.intra.peff.net> (raw)
In-Reply-To: <Y+vVFFCRem6t4IGM@coredump.intra.peff.net>
We parse the shortened name "foo" out of the full refname
"refs/heads/foo", and then assign the result of strlen(short_name) to an
int, which may truncate or wrap to negative.
In practice, this should never happen, as it requires a 2GB refname. And
even somebody trying to do something malicious should at worst end up
with a confused answer (we use the size only to feed back as a
placeholder length to strbuf_addf() to see if there are any collisions
in the lookup rules).
And it may even be impossible to trigger this, as we parse the string
with sscanf(), and stdio formatting functions are not known for handling
large strings well. I didn't test, but I wouldn't be surprised if
sscanf() on many platforms simply reports no match here.
But even if it is not a problem in practice so far, it is worth fixing
for two reasons:
1. We'll shortly be replacing the sscanf() call with a real parser
which will handle arbitrary-sized strings.
2. Assigning strlen() to an int is an anti-pattern that requires
people to look twice when auditing for real overflow problems.
So we'll make this a size_t. Unfortunately we still have to cast to int
eventually for the strbuf_addf() call, but at least we can localize the
cast there, and check that it will be valid. I used our new cast helper
here, which will just bail completely. That should be OK, as anybody
with a 2GB refname is up to no good, but if we really wanted to, we
could detect it manually and just refuse to shorten the refname.
Signed-off-by: Jeff King <peff@peff.net>
---
refs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/refs.c b/refs.c
index e31dbcda59..94d938390d 100644
--- a/refs.c
+++ b/refs.c
@@ -1356,7 +1356,7 @@ char *refs_shorten_unambiguous_ref(struct ref_store *refs,
for (i = nr_rules - 1; i > 0 ; --i) {
int j;
int rules_to_fail = i;
- int short_name_len;
+ size_t short_name_len;
if (1 != sscanf(refname, scanf_fmts[i], short_name))
continue;
@@ -1388,7 +1388,8 @@ char *refs_shorten_unambiguous_ref(struct ref_store *refs,
*/
strbuf_reset(&resolved_buf);
strbuf_addf(&resolved_buf, rule,
- short_name_len, short_name);
+ cast_size_t_to_int(short_name_len),
+ short_name);
if (refs_ref_exists(refs, resolved_buf.buf))
break;
}
--
2.39.1.849.g86e176252e
next prev parent reply other threads:[~2023-02-14 18:40 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-13 6:38 bug report: symbolic-ref --short command echos the wrong text while use Chinese language 孟子易
2023-02-13 20:18 ` Jeff King
2023-02-13 22:58 ` Eric Sunshine
2023-02-14 1:39 ` Jeff King
2023-02-14 5:15 ` Eric Sunshine
2023-02-14 5:33 ` Eric Sunshine
2023-02-14 5:40 ` Junio C Hamano
2023-02-14 6:05 ` Eric Sunshine
2023-02-14 6:45 ` Junio C Hamano
2023-02-14 6:55 ` Eric Sunshine
2023-02-14 16:01 ` Jeff King
2023-02-14 16:29 ` Eric Sunshine
2023-02-14 17:07 ` Jeff King
2023-02-14 18:38 ` [PATCH 0/3] get rid of sscanf() when shortening refs Jeff King
2023-02-14 18:39 ` Jeff King [this message]
2023-02-14 18:40 ` [PATCH 2/3] shorten_unambiguous_ref(): use NUM_REV_PARSE_RULES constant Jeff King
2023-02-14 21:34 ` Junio C Hamano
2023-02-14 22:23 ` Jeff King
2023-02-14 18:41 ` [PATCH 3/3] shorten_unambiguous_ref(): avoid sscanf() Jeff King
2023-02-14 21:48 ` Junio C Hamano
2023-02-14 22:25 ` Junio C Hamano
2023-02-14 22:30 ` Jeff King
2023-02-14 22:34 ` Junio C Hamano
2023-02-14 22:40 ` Jeff King
2023-02-15 5:10 ` Junio C Hamano
2023-02-15 14:30 ` Jeff King
2023-02-15 16:41 ` Junio C Hamano
2023-02-14 23:20 ` Eric Sunshine
2023-02-15 15:16 ` [PATCH v2 0/3] get rid of sscanf() when shortening refs Jeff King
2023-02-15 15:16 ` [PATCH v2 1/3] shorten_unambiguous_ref(): avoid integer truncation Jeff King
2023-02-15 15:16 ` [PATCH v2 2/3] shorten_unambiguous_ref(): use NUM_REV_PARSE_RULES constant Jeff King
2023-02-15 15:16 ` [PATCH v2 3/3] shorten_unambiguous_ref(): avoid sscanf() Jeff King
2023-02-16 5:56 ` Torsten Bögershausen
2023-02-16 6:16 ` Eric Sunshine
2023-02-16 17:21 ` Junio C Hamano
2023-02-16 17:28 ` Jeff King
2023-02-16 23:36 ` Junio C Hamano
2023-02-16 17:31 ` Jeff King
2023-02-17 6:46 ` Torsten Bögershausen
2023-02-15 18:00 ` [PATCH v2 0/3] get rid of sscanf() when shortening refs Junio C Hamano
2023-02-14 16:40 ` bug report: symbolic-ref --short command echos the wrong text while use Chinese language Junio C Hamano
2023-02-14 17:40 ` Jeff King
2023-02-15 16:26 ` Torsten Bögershausen
2023-02-15 16:37 ` Eric Sunshine
2023-02-15 17:19 ` Torsten Bögershausen
2023-02-16 6:08 ` Eric Sunshine
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y+vVbdS79fZHRs6H@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=mengziyi540841@gmail.com \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).