From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org, Jonathan Tan <jonathantanmy@google.com>,
Jonathan Nieder <jrnieder@gmail.com>
Subject: Re: [PATCH] sha1_loose_object_info: handle errors from unpack_sha1_rest
Date: Fri, 06 Oct 2017 13:19:21 +0900 [thread overview]
Message-ID: <xmqqr2ugykl2.fsf@gitster.mtv.corp.google.com> (raw)
In-Reply-To: <20171005055952.t5ef7hyolyevoj3d@sigill.intra.peff.net> (Jeff King's message of "Thu, 5 Oct 2017 01:59:52 -0400")
Jeff King <peff@peff.net> writes:
> When a caller of sha1_object_info_extended() sets the
> "contentp" field in object_info, we call unpack_sha1_rest()
> but do not check whether it signaled an error.
>
> This causes two problems:
>
> 1. We pass back NULL to the caller via the contentp field,
> but the function returns "0" for success. A caller
> might reasonably expect after a successful return that
> it can access contentp without a NULL check and
> segfault.
>
> As it happens, this is impossible to trigger in the
> current code. There is exactly one caller which uses
> contentp, read_object(). And the only thing it does
> after a successful call is to return the content
> pointer to its caller, using NULL as a sentinel for
> errors. So in effect it converts the success code from
> sha1_object_info_extended() back into an error!
>
> But this is still worth addressing avoid problems for
> future users of "contentp".
>
> 2. Callers of unpack_sha1_rest() are expected to close the
> zlib stream themselves on error. Which means that we're
> leaking the stream.
>
> The problem in (1) comes from from c84a1f3ed4 (sha1_file:
> refactor read_object, 2017-06-21), which added the contentp
> field. Before that, we called unpack_sha1_rest() via
> unpack_sha1_file(), which directly used the NULL to signal
> an error.
>
> But note that the leak in (2) is actually older than that.
> The original unpack_sha1_file() directly returned the result
> of unpack_sha1_rest() to its caller, when it should have
> been closing the zlib stream itself on error.
>
> Signed-off-by: Jeff King <peff@peff.net>
> ---
Obviously correct. (2) is as old as Git itself; it eventually
blames down to e83c5163 ("Initial revision of "git", the information
manager from hell", 2005-04-07), where read-cache.c::unpack_sha1_file()
liberally returns NULL without cleaning up the zstream.
Thanks.
> sha1_file.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/sha1_file.c b/sha1_file.c
> index 09ad64ce55..10c3a0083d 100644
> --- a/sha1_file.c
> +++ b/sha1_file.c
> @@ -1124,10 +1124,14 @@ static int sha1_loose_object_info(const unsigned char *sha1,
> } else if ((status = parse_sha1_header_extended(hdr, oi, flags)) < 0)
> status = error("unable to parse %s header", sha1_to_hex(sha1));
>
> - if (status >= 0 && oi->contentp)
> + if (status >= 0 && oi->contentp) {
> *oi->contentp = unpack_sha1_rest(&stream, hdr,
> *oi->sizep, sha1);
> - else
> + if (!*oi->contentp) {
> + git_inflate_end(&stream);
> + status = -1;
> + }
> + } else
> git_inflate_end(&stream);
>
> munmap(map, mapsize);
next prev parent reply other threads:[~2017-10-06 4:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-05 5:59 [PATCH] sha1_loose_object_info: handle errors from unpack_sha1_rest Jeff King
2017-10-06 4:19 ` Junio C Hamano [this message]
2017-10-06 4:30 ` Jeff King
2017-10-06 4:38 ` Jeff King
2017-10-10 1:34 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqr2ugykl2.fsf@gitster.mtv.corp.google.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=jonathantanmy@google.com \
--cc=jrnieder@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).