From: Junio C Hamano <gitster@pobox.com>
To: Antoine Pelisse <apelisse@gmail.com>
Cc: git@vger.kernel.org, "Torsten Bögershausen" <tboegi@web.de>,
"Wataru Noguchi" <wnoguchi.0727@gmail.com>,
"Erik Faye-Lund" <kusmabite@gmail.com>,
"Johannes Schindelin" <Johannes.Schindelin@gmx.de>,
"René Scharfe" <l.s.r@web.de>, msysGit <msysgit@googlegroups.com>
Subject: Re: [PATCH] Prevent buffer overflows when path is too long
Date: Tue, 26 Nov 2013 11:50:36 -0800 [thread overview]
Message-ID: <xmqqwqjvuelv.fsf@gitster.dls.corp.google.com> (raw)
In-Reply-To: <1385491163-18407-1-git-send-email-apelisse@gmail.com> (Antoine Pelisse's message of "Tue, 26 Nov 2013 19:39:23 +0100")
Antoine Pelisse <apelisse@gmail.com> writes:
> Some buffers created with PATH_MAX length are not checked when being
> written, and can overflow if PATH_MAX is not big enough to hold the
> path.
Perhaps it is time to update all of them to use strbuf? The callers
of prefix_filename() aren't that many, and all of them are prepared
to stash the returned value away when they keep it longer term, so
they would not notice if we used "static struct strbuf path" and
gave back "path.buf" (without strbuf_detach() on it). The buffer
used in clear_ce_flags() and passed to clear_ce_flags_{1,dir} are
not seen outside the callchain, and can safely become strbuf, I
think.
> abspath.c | 10 ++++++++--
> diffcore-order.c | 14 +++++++++-----
> unpack-trees.c | 2 ++
> 3 files changed, 19 insertions(+), 7 deletions(-)
>
> diff --git a/abspath.c b/abspath.c
> index e390994..29a5f9d 100644
> --- a/abspath.c
> +++ b/abspath.c
> @@ -216,11 +216,16 @@ const char *absolute_path(const char *path)
> const char *prefix_filename(const char *pfx, int pfx_len, const char *arg)
> {
> static char path[PATH_MAX];
> +
> + if (pfx_len >= PATH_MAX)
> + die("Too long prefix path: %s", pfx);
I do not think this is needed, and will reject a valid input that
used to be accepted (e.g. arg is absolute so pfx does not matter).
> #ifndef GIT_WINDOWS_NATIVE
> if (!pfx_len || is_absolute_path(arg))
> return arg;
> memcpy(path, pfx, pfx_len);
> - strcpy(path + pfx_len, arg);
> + if (strlcpy(path + pfx_len, arg, PATH_MAX - pfx_len) > PATH_MAX)
> + die("Too long path: %s", path);
Rather, have that "too long a prefix?" check before that memcpy().
> #else
> char *p;
> /* don't add prefix to absolute paths, but still replace '\' by '/' */
> @@ -228,7 +233,8 @@ const char *prefix_filename(const char *pfx, int pfx_len, const char *arg)
> pfx_len = 0;
> else if (pfx_len)
> memcpy(path, pfx, pfx_len);
... and around here.
> - strcpy(path + pfx_len, arg);
> + if (strlcpy(path + pfx_len, arg, PATH_MAX - pfx_len) > PATH_MAX)
> + die("Too long path: %s", path);
> for (p = path + pfx_len; *p; p++)
> if (*p == '\\')
> *p = '/';
The above is curious. Unless we are doing the short-cut for "no
prefix so we can just return arg" codepath, we know that the
resulting length is always pfx_len + strlen(arg), no?
> diff --git a/diffcore-order.c b/diffcore-order.c
> index 23e9385..87193f8 100644
> --- a/diffcore-order.c
> +++ b/diffcore-order.c
> @@ -73,20 +73,24 @@ struct pair_order {
> static int match_order(const char *path)
> {
> int i;
> - char p[PATH_MAX];
> + struct strbuf p = STRBUF_INIT;
>
> for (i = 0; i < order_cnt; i++) {
> - strcpy(p, path);
> - while (p[0]) {
> + strbuf_reset(&p);
> + strbuf_addstr(&p, path);
> + while (p.buf[0]) {
> char *cp;
> - if (!fnmatch(order[i], p, 0))
> + if (!fnmatch(order[i], p.buf, 0)) {
> + strbuf_release(&p);
> return i;
> - cp = strrchr(p, '/');
> + }
> + cp = strrchr(p.buf, '/');
> if (!cp)
> break;
> *cp = 0;
> }
> }
> + strbuf_release(&p);
> return order_cnt;
> }
>
> diff --git a/unpack-trees.c b/unpack-trees.c
> index 35cb05e..f93565b 100644
> --- a/unpack-trees.c
> +++ b/unpack-trees.c
> @@ -918,6 +918,8 @@ static int clear_ce_flags_1(struct cache_entry **cache, int nr,
> int processed;
>
> len = slash - name;
> + if (len + prefix_len >= PATH_MAX)
> + die("Too long path: %s", prefix);
> memcpy(prefix + prefix_len, name, len);
>
> /*
> --
> 1.8.5.rc3.1.ga0b6b91
>
> --
--
--
*** Please reply-to-all at all times ***
*** (do not pretend to know who is subscribed and who is not) ***
*** Please avoid top-posting. ***
The msysGit Wiki is here: https://github.com/msysgit/msysgit/wiki - Github accounts are free.
You received this message because you are subscribed to the Google
Groups "msysGit" group.
To post to this group, send email to msysgit@googlegroups.com
To unsubscribe from this group, send email to
msysgit+unsubscribe@googlegroups.com
For more options, and view previous threads, visit this group at
http://groups.google.com/group/msysgit?hl=en_US?hl=en
---
You received this message because you are subscribed to the Google Groups "msysGit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to msysgit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
next prev parent reply other threads:[~2013-11-26 19:50 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-28 21:17 [PATCH] mingw-multibyte: fix memory acces violation and path length limits Wataru Noguchi
2013-09-28 23:18 ` Johannes Schindelin
2013-09-29 2:56 ` Wataru Noguchi
2013-09-29 11:01 ` [msysGit] " Stefan Beller
2013-10-01 13:37 ` Wataru Noguchi
2013-09-30 17:00 ` René Scharfe
2013-09-30 21:02 ` Erik Faye-Lund
2013-10-01 13:35 ` Wataru Noguchi
2013-10-02 22:26 ` Wataru Noguchi
2013-10-03 17:25 ` Antoine Pelisse
2013-10-03 17:36 ` Erik Faye-Lund
2013-10-05 11:39 ` Wataru Noguchi
2013-10-19 10:52 ` [PATCH] Prevent buffer overflows when path is too big Antoine Pelisse
2013-10-20 5:47 ` Torsten Bögershausen
2013-10-20 6:05 ` [msysGit] " Ondřej Bílka
2013-10-20 6:27 ` Torsten Bögershausen
2013-10-20 7:39 ` [msysGit] " Ondřej Bílka
2013-10-20 10:33 ` Duy Nguyen
2013-10-20 17:57 ` Antoine Pelisse
2013-10-21 1:31 ` Duy Nguyen
2013-10-21 19:02 ` Johannes Sixt
2013-10-21 19:07 ` Erik Faye-Lund
2013-10-21 19:14 ` Jeff King
2013-10-21 19:32 ` Jeff King
2013-10-23 12:55 ` [PATCH 1/2] entry.c: convert checkout_entry to use strbuf Nguyễn Thái Ngọc Duy
2013-10-23 12:55 ` [PATCH 2/2] entry.c: convert write_entry " Nguyễn Thái Ngọc Duy
2013-10-23 17:52 ` Junio C Hamano
2013-10-24 1:23 ` Duy Nguyen
2013-10-24 19:49 ` Junio C Hamano
2013-10-24 23:47 ` Duy Nguyen
2013-10-23 12:58 ` [PATCH 1/2] entry.c: convert checkout_entry " Antoine Pelisse
2013-10-23 13:04 ` Duy Nguyen
2013-10-23 13:06 ` Antoine Pelisse
2013-10-23 17:29 ` Jeff King
2013-10-23 17:34 ` Erik Faye-Lund
2013-10-23 17:52 ` Jeff King
2013-10-23 18:09 ` Junio C Hamano
2013-10-23 18:10 ` Jeff King
2013-10-24 1:55 ` [PATCH v2] " Nguyễn Thái Ngọc Duy
2013-10-23 12:55 ` [PATCH] Prevent buffer overflows when path is too big Duy Nguyen
2013-11-26 18:39 ` [PATCH] Prevent buffer overflows when path is too long Antoine Pelisse
2013-11-26 19:50 ` Junio C Hamano [this message]
2013-11-29 12:12 ` Antoine Pelisse
2013-12-14 11:31 ` Antoine Pelisse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqwqjvuelv.fsf@gitster.dls.corp.google.com \
--to=gitster@pobox.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=apelisse@gmail.com \
--cc=git@vger.kernel.org \
--cc=kusmabite@gmail.com \
--cc=l.s.r@web.de \
--cc=msysgit@googlegroups.com \
--cc=tboegi@web.de \
--cc=wnoguchi.0727@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).