On Tue, Nov 26, 2013 at 8:50 PM, Junio C Hamano <gitster@xxxxxxxxx> wrote:
> Antoine Pelisse <apelisse@xxxxxxxxx> writes:
>
>> Some buffers created with PATH_MAX length are not checked when being
>> written, and can overflow if PATH_MAX is not big enough to hold the
>> path.
>
> Perhaps it is time to update all of them to use strbuf? The callers
> of prefix_filename() aren't that many, and all of them are prepared
> to stash the returned value away when they keep it longer term, so
> they would not notice if we used "static struct strbuf path" and
> gave back "path.buf" (without strbuf_detach() on it). The buffer
> used in clear_ce_flags() and passed to clear_ce_flags_{1,dir} are
> not seen outside the callchain, and can safely become strbuf, I
> think.
Let's do that, but shouldn't we also modify those that are currently
safe, like absolute_path() just above prefix_filename() ?
>> abspath.c | 10 ++++++++--
>> diffcore-order.c | 14 +++++++++-----
>> unpack-trees.c | 2 ++
>> 3 files changed, 19 insertions(+), 7 deletions(-)
>>
>> diff --git a/abspath.c b/abspath.c
>> index e390994..29a5f9d 100644
>> --- a/abspath.c
>> +++ b/abspath.c
>> @@ -216,11 +216,16 @@ const char *absolute_path(const char *path)
>> const char *prefix_filename(const char *pfx, int pfx_len, const char *arg)
>> {
>> static char path[PATH_MAX];
>> +
>> + if (pfx_len >= PATH_MAX)
>> + die("Too long prefix path: %s", pfx);
>
> I do not think this is needed, and will reject a valid input that
> used to be accepted (e.g. arg is absolute so pfx does not matter).
My mistake
>> - strcpy(path + pfx_len, arg);
>> + if (strlcpy(path + pfx_len, arg, PATH_MAX - pfx_len) > PATH_MAX)
>> + die("Too long path: %s", path);
>> for (p = path + pfx_len; *p; p++)
>> if (*p == '\\')
>> *p = '/';
>
> The above is curious. Unless we are doing the short-cut for "no
> prefix so we can just return arg" codepath, we know that the
> resulting length is always pfx_len + strlen(arg), no?
If you mean that the test should be more like the following:
+ if (strlcpy(path + pfx_len, arg, PATH_MAX - pfx_len) > PATH_MAX - pfx_len)
Then of course, you are right, that's my mistake.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html