On 09/12/2014 12:15 AM, Ronnie Sahlberg wrote:
> On Sat, Sep 6, 2014 at 12:50 AM, Michael Haggerty <mhagger@xxxxxxxxxxxx> wrote:
>> There are a few places that use these values, so define constants for
>> them.
>>
>> Signed-off-by: Michael Haggerty <mhagger@xxxxxxxxxxxx>
>> ---
>> cache.h | 4 ++++
>> lockfile.c | 11 ++++++-----
>> refs.c | 7 ++++---
>> 3 files changed, 14 insertions(+), 8 deletions(-)
>>
>> diff --git a/cache.h b/cache.h
>> index da77094..41d829b 100644
>> --- a/cache.h
>> +++ b/cache.h
>> @@ -569,6 +569,10 @@ extern void fill_stat_cache_info(struct cache_entry *ce, struct stat *st);
>> #define REFRESH_IN_PORCELAIN 0x0020 /* user friendly output, not "needs update" */
>> extern int refresh_index(struct index_state *, unsigned int flags, const struct pathspec *pathspec, char *seen, const char *header_msg);
>>
>> +/* String appended to a filename to derive the lockfile name: */
>> +#define LOCK_SUFFIX ".lock"
>> +#define LOCK_SUFFIX_LEN 5
>> +
>> struct lock_file {
>> struct lock_file *next;
>> int fd;
>> diff --git a/lockfile.c b/lockfile.c
>> index 964b3fc..bfea333 100644
>> --- a/lockfile.c
>> +++ b/lockfile.c
>> @@ -176,10 +176,11 @@ static char *resolve_symlink(char *p, size_t s)
>> static int lock_file(struct lock_file *lk, const char *path, int flags)
>> {
>> /*
>> - * subtract 5 from size to make sure there's room for adding
>> - * ".lock" for the lock file name
>> + * subtract LOCK_SUFFIX_LEN from size to make sure there's
>> + * room for adding ".lock" for the lock file name:
>> */
>> - static const size_t max_path_len = sizeof(lk->filename) - 5;
>> + static const size_t max_path_len = sizeof(lk->filename) -
>> + LOCK_SUFFIX_LEN;
>>
>> if (!lock_file_list) {
>> /* One-time initialization */
>> @@ -204,7 +205,7 @@ static int lock_file(struct lock_file *lk, const char *path, int flags)
>> strcpy(lk->filename, path);
>> if (!(flags & LOCK_NODEREF))
>> resolve_symlink(lk->filename, max_path_len);
>> - strcat(lk->filename, ".lock");
>> + strcat(lk->filename, LOCK_SUFFIX);
>> lk->fd = open(lk->filename, O_RDWR | O_CREAT | O_EXCL, 0666);
>> if (0 <= lk->fd) {
>> lk->owner = getpid();
>> @@ -314,7 +315,7 @@ int commit_lock_file(struct lock_file *lk)
>> if (lk->fd >= 0 && close_lock_file(lk))
>> return -1;
>> strcpy(result_file, lk->filename);
>> - i = strlen(result_file) - 5; /* .lock */
>> + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */
>
> Not a new bug since the previous code is broken too.
> Should probably checkstrlen(result_file) >= 5 here before subtracting 5.
>
> Otherwise, a caller that calls commit_lock_file() with an already
> committed/closed lock_file can cause writing outside the bounds of
> the array on the line below.
Good catch; thanks. I will fix this in the reroll (though probably in a
later patch).
>> [...]
Michael
--
Michael Haggerty
mhagger@xxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html