Currently, most buffers created with PATH_MAX length, are not checked when being written, and can overflow if PATH_MAX is not big enough to hold the path. Fix that by using strlcpy() where strcpy() was used, and also run some extra checks when copy is done with memcpy(). Reported-by: Wataru Noguchi <wnoguchi.0727@xxxxxxxxx> Signed-off-by: Antoine Pelisse <apelisse@xxxxxxxxx> --- abspath.c | 10 +++++++--- diffcore-order.c | 2 +- entry.c | 14 ++++++++++---- unpack-trees.c | 2 ++ 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/abspath.c b/abspath.c index 64adbe2..0e60ba4 100644 --- a/abspath.c +++ b/abspath.c @@ -216,11 +216,15 @@ const char *absolute_path(const char *path) const char *prefix_filename(const char *pfx, int pfx_len, const char *arg) { static char path[PATH_MAX]; + + if (pfx_len > PATH_MAX) + die("Too long prefix path: %s", pfx); + #ifndef GIT_WINDOWS_NATIVE if (!pfx_len || is_absolute_path(arg)) return arg; memcpy(path, pfx, pfx_len); - strcpy(path + pfx_len, arg); + strlcpy(path + pfx_len, arg, PATH_MAX - pfx_len); #else char *p; /* don't add prefix to absolute paths, but still replace '\' by '/' */ @@ -228,8 +232,8 @@ const char *prefix_filename(const char *pfx, int pfx_len, const char *arg) pfx_len = 0; else if (pfx_len) memcpy(path, pfx, pfx_len); - strcpy(path + pfx_len, arg); - for (p = path + pfx_len; *p; p++) + strlcpy(path + pfx_len, arg, PATH_MAX - pfx_len); + for (p = path + pfx_len; p < path + PATH_MAX && *p; p++) if (*p == '\\') *p = '/'; #endif diff --git a/diffcore-order.c b/diffcore-order.c index 23e9385..f083c82 100644 --- a/diffcore-order.c +++ b/diffcore-order.c @@ -76,7 +76,7 @@ static int match_order(const char *path) char p[PATH_MAX]; for (i = 0; i < order_cnt; i++) { - strcpy(p, path); + strlcpy(p, path, PATH_MAX); while (p[0]) { char *cp; if (!fnmatch(order[i], p, 0)) diff --git a/entry.c b/entry.c index acc892f..39bee42 100644 --- a/entry.c +++ b/entry.c @@ -50,17 +50,20 @@ static void remove_subtree(const char *path) struct dirent *de; char pathbuf[PATH_MAX]; char *name; + size_t pathlen; if (!dir) die_errno("cannot opendir '%s'", path); - strcpy(pathbuf, path); - name = pathbuf + strlen(path); + strlcpy(pathbuf, path, PATH_MAX); + pathlen = strlen(path); + name = pathbuf + pathlen; *name++ = '/'; + pathlen++; while ((de = readdir(dir)) != NULL) { struct stat st; if (is_dot_or_dotdot(de->d_name)) continue; - strcpy(name, de->d_name); + strlcpy(name, de->d_name, PATH_MAX - pathlen); if (lstat(pathbuf, &st)) die_errno("cannot lstat '%s'", pathbuf); if (S_ISDIR(st.st_mode)) @@ -244,8 +247,11 @@ int checkout_entry(struct cache_entry *ce, if (topath) return write_entry(ce, topath, state, 1); + if (len > PATH_MAX + 1) + die("Too long path: %s", state->base_dir); + memcpy(path, state->base_dir, len); - strcpy(path + len, ce->name); + strlcpy(path + len, ce->name, PATH_MAX + 1 - len); len += ce_namelen(ce); if (!check_path(path, len, &st, state->base_dir_len)) { diff --git a/unpack-trees.c b/unpack-trees.c index 1a61e6f..85473b1 100644 --- a/unpack-trees.c +++ b/unpack-trees.c @@ -918,6 +918,8 @@ static int clear_ce_flags_1(struct cache_entry **cache, int nr, int processed; len = slash - name; + if (len + prefix_len >= PATH_MAX) + len = PATH_MAX - prefix_len - 1; memcpy(prefix + prefix_len, name, len); /* -- 1.8.4.1.507.g9768648.dirty -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html