mirrors/git
0
0
Fork 0
mirror of https://github.com/git/git.git synced 2024-11-24 10:26:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

verify_absent: allow filenames longer than PATH_MAX

Browse Source 
When unpack-trees wants to know whether a path will
overwrite anything in the working tree, we use lstat() to
see if there is anything there. But if we are going to write
"foo/bar", we can't just lstat("foo/bar"); we need to look
for leading prefixes (e.g., "foo"). So we use the lstat cache
to find the length of the leading prefix, and copy the
filename up to that length into a temporary buffer (since
the original name is const, we cannot just stick a NUL in
it).

The copy we make goes into a PATH_MAX-sized buffer, which
will overflow if the prefix is longer than PATH_MAX. How
this happens is a little tricky, since in theory PATH_MAX is
the biggest path we will have read from the filesystem. But
this can happen if:

  - the compiled-in PATH_MAX does not accurately reflect
    what the filesystem is capable of

  - the leading prefix is not _quite_ what is on disk; it
    contains the next element from the name we are checking.
    So if we want to write "aaa/bbb/ccc/ddd" and "aaa/bbb"
    exists, the prefix of interest is "aaa/bbb/ccc". If
    "aaa/bbb" approaches PATH_MAX, then "ccc" can overflow
    it.

So this can be triggered, but it's hard to do. In
particular, you cannot just "git clone" a bogus repo. The
verify_absent checks happen before unpack-trees writes
anything to the filesystem, so there are never any leading
prefixes during the initial checkout, and the bug doesn't
trigger. And by definition, these files are larger than
PATH_MAX, so writing them will fail, and clone will
complain (though it may write a partial path, which will
cause a subsequent "git checkout" to hit the bug).

We can fix it by creating the temporary path on the heap.
The extra malloc overhead is not important, as we are
already making at least one stat() call (and probably more
for the prefix discovery).

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Jeff King 2015-08-19 14:12:37 -04:00 committed by Junio C Hamano
parent fdf96a20ac
commit f514ef9787
1 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
unpack-trees.c
View File

@ -1432,15 +1432,18 @@ static int verify_absent_1(const struct cache_entry *ce,
if (!len)
return 0;
else if (len > 0) {
char path[PATH_MAX + 1];
memcpy(path, ce->name, len);
path[len] = 0;
if (lstat(path, &st))
return error("cannot stat '%s': %s", path,
strerror(errno));
char *path;
int ret;
return check_ok_to_remove(path, len, DT_UNKNOWN, NULL, &st,
error_type, o);
path = xmemdupz(ce->name, len);
if (lstat(path, &st))
ret = error("cannot stat '%s': %s", path,
strerror(errno));
else
ret = check_ok_to_remove(path, len, DT_UNKNOWN, NULL,
&st, error_type, o);
free(path);
return ret;
} else if (lstat(ce->name, &st)) {
if (errno != ENOENT)
return error("cannot stat '%s': %s", ce->name,