From: Michael Haggerty <mhagger@alum.mit.edu>
To: git@vger.kernel.org
Cc: Junio C Hamano <gitster@pobox.com>,
Thomas Rast <trast@student.ethz.ch>,
Michael Haggerty <mhagger@alum.mit.edu>
Subject: [PATCH 1/1] get_sha1_hex(): do not read past a NUL character
Date: Fri, 23 Sep 2011 15:38:36 +0200 [thread overview]
Message-ID: <1316785116-21831-1-git-send-email-mhagger@alum.mit.edu> (raw)
In-Reply-To: <4E7C857D.8000304@alum.mit.edu>
Previously, get_sha1_hex() would read one character past the end of a
null-terminated string whose strlen was an even number less than 40.
Although the function correctly returned -1 in these cases, the extra
memory access might have been to uninitialized (or even, conceivably,
unallocated) memory.
Add a check to avoid reading past the end of a string.
This problem was discovered by Thomas Rast <trast@student.ethz.ch>
using valgrind.
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
It is suggested to apply this bugfix before mh/check-ref-format-3;
otherwise the latter triggers the bug, leading to a valgrind error.
This patch could optionally be applied to maint (to which it can be
rebased cleanly), though the bug that it fixes is relatively benign.
cache.h | 9 +++++++++
hex.c | 10 +++++++++-
2 files changed, 18 insertions(+), 1 deletions(-)
diff --git cache.h cache.h
index 607c2ea..e7bbc0d 100644
--- cache.h
+++ cache.h
@@ -819,7 +819,16 @@ static inline int get_sha1_with_context(const char *str, unsigned char *sha1, st
{
return get_sha1_with_context_1(str, sha1, orc, 0, NULL);
}
+
+/*
+ * Try to read a SHA1 in hexadecimal format from the 40 characters
+ * starting at hex. Write the 20-byte result to sha1 in binary form.
+ * Return 0 on success. Reading stops if a NUL is encountered in the
+ * input, so it is safe to pass this function an arbitrary
+ * null-terminated string.
+ */
extern int get_sha1_hex(const char *hex, unsigned char *sha1);
+
extern char *sha1_to_hex(const unsigned char *sha1); /* static buffer result! */
extern int read_ref(const char *filename, unsigned char *sha1);
extern const char *resolve_ref(const char *path, unsigned char *sha1, int, int *);
diff --git hex.c hex.c
index bb402fb..9ebc050 100644
--- hex.c
+++ hex.c
@@ -39,7 +39,15 @@ int get_sha1_hex(const char *hex, unsigned char *sha1)
{
int i;
for (i = 0; i < 20; i++) {
- unsigned int val = (hexval(hex[0]) << 4) | hexval(hex[1]);
+ unsigned int val;
+ /*
+ * hex[1]=='\0' is caught when val is checked below,
+ * but if hex[0] is NUL we have to avoid reading
+ * past the end of the string:
+ */
+ if (!hex[0])
+ return -1;
+ val = (hexval(hex[0]) << 4) | hexval(hex[1]);
if (val & ~0xff)
return -1;
*sha1++ = val;
--
1.7.7.rc2
next prev parent reply other threads:[~2011-09-23 13:38 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-15 21:10 [PATCH v3 00/22] Clean up refname checks and normalization Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 01/22] t1402: add some more tests Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 02/22] git check-ref-format: add options --allow-onelevel and --refspec-pattern Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 03/22] Change bad_ref_char() to return a boolean value Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 04/22] Change check_ref_format() to take a flags argument Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 05/22] Refactor check_refname_format() Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 06/22] Do not allow ".lock" at the end of any refname component Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 07/22] Make collapse_slashes() allocate memory for its result Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 08/22] Inline function refname_format_print() Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 09/22] Change check_refname_format() to reject unnormalized refnames Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 10/22] resolve_ref(): explicitly fail if a symlink is not readable Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 11/22] resolve_ref(): use prefixcmp() Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 12/22] resolve_ref(): only follow a symlink that contains a valid, normalized refname Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 13/22] resolve_ref(): turn buffer into a proper string as soon as possible Michael Haggerty
2011-09-23 8:17 ` Thomas Rast
2011-09-23 13:11 ` Michael Haggerty
2011-09-23 13:38 ` Michael Haggerty [this message]
2011-09-23 18:59 ` [PATCH 1/1] get_sha1_hex(): do not read past a NUL character Junio C Hamano
2011-10-05 19:11 ` Thomas Rast
2011-10-05 20:37 ` Junio C Hamano
2011-09-15 21:10 ` [PATCH v3 14/22] resolve_ref(): extract a function get_packed_ref() Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 15/22] resolve_ref(): do not follow incorrectly-formatted symbolic refs Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 16/22] remote: use xstrdup() instead of strdup() Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 17/22] remote: avoid passing NULL to read_ref() Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 18/22] resolve_ref(): verify that the input refname has the right format Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 19/22] resolve_ref(): emit warnings for improperly-formatted references Michael Haggerty
2011-10-11 16:16 ` Jeff King
2011-10-11 17:53 ` Junio C Hamano
2011-10-11 18:07 ` Junio C Hamano
2011-10-11 20:14 ` Re* " Junio C Hamano
2011-10-11 20:39 ` Jeff King
2011-10-11 21:31 ` Junio C Hamano
2011-10-11 22:54 ` Jeff King
2011-10-12 16:52 ` Junio C Hamano
2011-10-11 23:07 ` Jeff King
2011-10-11 23:50 ` Junio C Hamano
2011-10-12 2:11 ` Jeff King
2011-10-12 4:41 ` Junio C Hamano
2011-10-12 4:50 ` Jeff King
2011-10-12 17:48 ` [PATCH 1/2] refs.c: move dwim_ref()/dwim_log() from sha1_name.c Junio C Hamano
2011-10-12 17:49 ` [PATCH 2/2] Restrict ref-like names immediately below $GIT_DIR Junio C Hamano
2011-10-12 18:01 ` Michael Haggerty
2011-10-12 18:07 ` Junio C Hamano
2011-10-12 21:42 ` Michael Haggerty
2011-10-12 22:26 ` Junio C Hamano
2011-10-19 5:28 ` Junio C Hamano
2011-10-19 6:19 ` Junio C Hamano
2011-10-19 15:18 ` Michael Haggerty
2011-10-19 17:10 ` Junio C Hamano
2011-10-19 19:29 ` Junio C Hamano
2011-10-19 19:39 ` [PATCH] resolve_ref(): report breakage to the caller without warning Junio C Hamano
2011-10-19 20:31 ` [PATCH 2/2] Restrict ref-like names immediately below $GIT_DIR Michael Haggerty
2011-10-19 20:39 ` Junio C Hamano
2011-10-12 21:51 ` Jeff King
2011-10-12 2:56 ` Re* [PATCH v3 19/22] resolve_ref(): emit warnings for improperly-formatted references Michael Haggerty
2011-10-12 19:20 ` Junio C Hamano
2011-10-12 19:26 ` Jeff King
2011-09-15 21:10 ` [PATCH v3 20/22] resolve_ref(): also treat a too-long SHA1 as invalid Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 21/22] resolve_ref(): expand documentation Michael Haggerty
2011-09-15 21:10 ` [PATCH v3 22/22] add_ref(): verify that the refname is formatted correctly Michael Haggerty
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1316785116-21831-1-git-send-email-mhagger@alum.mit.edu \
--to=mhagger@alum.mit.edu \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=trast@student.ethz.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).