* [PATCH] Fix buffer overflow in config parser
@ 2009-04-08 22:13 Thomas Jarosch
2009-04-08 22:58 ` Markus Heidelberg
0 siblings, 1 reply; 5+ messages in thread
From: Thomas Jarosch @ 2009-04-08 22:13 UTC (permalink / raw)
To: git
[-- Attachment #1: Type: text/plain, Size: 229 bytes --]
Hello together,
attached is a small patch to fix a buffer overflow in config.c.
Patch is against git master's HEAD.
I didn't send this one inline as I wanted to
preserve the 1024+ byte long line.
Best regards,
Thomas Jarosch
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: git-fix-config-buffer-overflow.patch --]
[-- Type: text/x-patch; name="git-fix-config-buffer-overflow.patch", Size: 1671 bytes --]
Fix buffer overflow in config parser.
Segfaulting config looks like this:
---------------------------------------
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
foobar = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaxxxbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbcccccccccccccccccccccaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa123 4
---------------------------------------
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
diff --git a/config.c b/config.c
index b76fe4c..a9c67e8 100644
--- a/config.c
+++ b/config.c
@@ -72,7 +72,7 @@ static char *parse_value(void)
}
}
if (space) {
- if (len)
+ if (len && len < sizeof(value)-1)
value[len++] = ' ';
space = 0;
}
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] Fix buffer overflow in config parser
2009-04-08 22:13 [PATCH] Fix buffer overflow in config parser Thomas Jarosch
@ 2009-04-08 22:58 ` Markus Heidelberg
2009-04-08 23:15 ` Markus Heidelberg
0 siblings, 1 reply; 5+ messages in thread
From: Markus Heidelberg @ 2009-04-08 22:58 UTC (permalink / raw)
To: Thomas Jarosch; +Cc: git
Thomas Jarosch, 09.04.2009:
> Hello together,
>
> attached is a small patch to fix a buffer overflow in config.c.
> Patch is against git master's HEAD.
>
> I didn't send this one inline as I wanted to
> preserve the 1024+ byte long line.
You could send the patch inline and attach the example config.
> diff --git a/config.c b/config.c
> index b76fe4c..a9c67e8 100644
> --- a/config.c
> +++ b/config.c
> @@ -72,7 +72,7 @@ static char *parse_value(void)
> }
> }
> if (space) {
> - if (len)
> + if (len && len < sizeof(value)-1)
> value[len++] = ' ';
> space = 0;
> }
At the beginning of the for loop, there is already an overflow guard.
if (len >= sizeof(value))
return NULL;
It would probably be better to fix it at this place.
if (len >= sizeof(value)-1)
return NULL;
Markus
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] Fix buffer overflow in config parser
2009-04-08 22:58 ` Markus Heidelberg
@ 2009-04-08 23:15 ` Markus Heidelberg
2009-04-09 7:59 ` Thomas Jarosch
0 siblings, 1 reply; 5+ messages in thread
From: Markus Heidelberg @ 2009-04-08 23:15 UTC (permalink / raw)
To: Thomas Jarosch; +Cc: git
Markus Heidelberg, 09.04.2009:
> Thomas Jarosch, 09.04.2009:
> > Hello together,
> >
> > attached is a small patch to fix a buffer overflow in config.c.
> > Patch is against git master's HEAD.
> >
> > I didn't send this one inline as I wanted to
> > preserve the 1024+ byte long line.
>
> You could send the patch inline and attach the example config.
>
> > diff --git a/config.c b/config.c
> > index b76fe4c..a9c67e8 100644
> > --- a/config.c
> > +++ b/config.c
> > @@ -72,7 +72,7 @@ static char *parse_value(void)
> > }
> > }
> > if (space) {
> > - if (len)
> > + if (len && len < sizeof(value)-1)
> > value[len++] = ' ';
> > space = 0;
Eh, or maybe better add a "continue;" here, so that only one char per
loop is read.
> > }
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] Fix buffer overflow in config parser
2009-04-08 23:15 ` Markus Heidelberg
@ 2009-04-09 7:59 ` Thomas Jarosch
2009-04-10 16:10 ` Markus Heidelberg
0 siblings, 1 reply; 5+ messages in thread
From: Thomas Jarosch @ 2009-04-09 7:59 UTC (permalink / raw)
To: markus.heidelberg; +Cc: git
On Thursday, 9. April 2009 01:15:17 Markus Heidelberg wrote:
> > > diff --git a/config.c b/config.c
> > > index b76fe4c..a9c67e8 100644
> > > --- a/config.c
> > > +++ b/config.c
> > > @@ -72,7 +72,7 @@ static char *parse_value(void)
> > > }
> > > }
> > > if (space) {
> > > - if (len)
> > > + if (len && len < sizeof(value)-1)
> > > value[len++] = ' ';
> > > space = 0;
>
> Eh, or maybe better add a "continue;" here, so that only one char per
> loop is read.
Thanks for the review.
If I understand the intention of the complete code correctly, the idea was
to read in 1+ spaces and put -one- space in the buffer as soon as the first
non-space character is encountered (if not inside quotes).
Adding a "continue" statement would eat up the first non-space character.
I guess it's ok to modify the first size check or keep to problem local and
check the size before putting the space in the buffer. Guess that's up to
the maintainer which method he prefers.
Cheers,
Thomas
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] Fix buffer overflow in config parser
2009-04-09 7:59 ` Thomas Jarosch
@ 2009-04-10 16:10 ` Markus Heidelberg
0 siblings, 0 replies; 5+ messages in thread
From: Markus Heidelberg @ 2009-04-10 16:10 UTC (permalink / raw)
To: Thomas Jarosch; +Cc: git
Thomas Jarosch, 09.04.2009:
> On Thursday, 9. April 2009 01:15:17 Markus Heidelberg wrote:
> > > > diff --git a/config.c b/config.c
> > > > index b76fe4c..a9c67e8 100644
> > > > --- a/config.c
> > > > +++ b/config.c
> > > > @@ -72,7 +72,7 @@ static char *parse_value(void)
> > > > }
> > > > }
> > > > if (space) {
> > > > - if (len)
> > > > + if (len && len < sizeof(value)-1)
> > > > value[len++] = ' ';
> > > > space = 0;
> >
> > Eh, or maybe better add a "continue;" here, so that only one char per
> > loop is read.
>
> Thanks for the review.
>
> If I understand the intention of the complete code correctly, the idea was
> to read in 1+ spaces and put -one- space in the buffer as soon as the first
> non-space character is encountered (if not inside quotes).
>
> Adding a "continue" statement would eat up the first non-space character.
Yes, you are right, I judged to quickly.
> I guess it's ok to modify the first size check or keep to problem local and
> check the size before putting the space in the buffer.
Keeping the problem local would mean to add this check to the end of the
"for" loop before "value[len++] = c;" where the overflow actually
happens.
OTOH this overflow only occurs within a whitespace area, so from this
POV it is local at this place.
I think the cleanest solution would be to decrease the existing check at
the top by 1, even if then the maximum length will be decreased. But
there is no hint in the docs about it anyway.
> Guess that's up to
> the maintainer which method he prefers.
Take what you think is the best solution and convince him :)
Markus
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-04-10 16:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-08 22:13 [PATCH] Fix buffer overflow in config parser Thomas Jarosch
2009-04-08 22:58 ` Markus Heidelberg
2009-04-08 23:15 ` Markus Heidelberg
2009-04-09 7:59 ` Thomas Jarosch
2009-04-10 16:10 ` Markus Heidelberg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).