From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: Martin Koegler <martin.koegler@chello.at>,
git@vger.kernel.org, Johannes.Schindelin@gmx.de
Subject: Re: [PATCH V2 1/2] Fix delta integer overflows
Date: Fri, 11 Aug 2017 11:43:21 -0700 [thread overview]
Message-ID: <xmqqy3qqymgm.fsf@gitster.mtv.corp.google.com> (raw)
In-Reply-To: <20170810203612.lt342yq3gnfadjlp@sigill.intra.peff.net> (Jeff King's message of "Thu, 10 Aug 2017 16:36:12 -0400")
Jeff King <peff@peff.net> writes:
> On Thu, Aug 10, 2017 at 01:07:07PM -0700, Junio C Hamano wrote:
>
>> Perhaps we should teach the receiving end to notice that the varint
>> data it reads encodes a size that is too large for it to grok and
>> die. With that, we can safely move forward with whatever size_t
>> each platform uses.
>
> Yes, this is very important even for "unsigned long". I'd worry that
> malicious input could cause us to wrap to 0, and we'd potentially write
> into a too-small buffer[1].
>
> There's some prior art with checking this against bitsizeof() in
> unpack_object_header_buffer() but get_delta_hdr_size() does not seem to
> have a check.
>
> -Peff
>
> [1] In most cases it's _probably_ not a vulnerability to wrap here,
> because we'd just read less data than we ought to. But it makes me
> nervous nonetheless.
As I said in my other message in the thread, as long as the callers
of get_delta_hdr_size() are written correctly, it should be OK. And
patch_delta() should be OK, even for "unsigned long" when it is too
small. It just will not produce correct result and instead abort,
and the patch under discussion fixes that.
next prev parent reply other threads:[~2017-08-11 18:43 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-10 7:01 [PATCH V2 1/2] Fix delta integer overflows Martin Koegler
2017-08-10 7:01 ` [PATCH V2 2/2] Convert size datatype to size_t Martin Koegler
2017-08-10 14:46 ` Johannes Schindelin
2017-08-10 22:04 ` Junio C Hamano
2017-08-11 7:12 ` Martin Koegler
2017-08-10 20:07 ` [PATCH V2 1/2] Fix delta integer overflows Junio C Hamano
2017-08-10 20:36 ` Jeff King
2017-08-11 18:43 ` Junio C Hamano [this message]
2017-08-11 7:43 ` Martin Koegler
2017-08-11 18:40 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqy3qqymgm.fsf@gitster.mtv.corp.google.com \
--to=gitster@pobox.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=martin.koegler@chello.at \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).