From: Thomas Jarosch <thomas.jarosch@intra2net.com>
To: git@vger.kernel.org
Cc: Junio C Hamano <gitster@pobox.com>,
Johannes Schindelin <Johannes.Schindelin@gmx.de>,
Johannes Sixt <j.sixt@viscovery.net>,
markus.heidelberg@web.de, Jeff King <peff@peff.net>
Subject: [PATCH v3] Fix buffer overflow in config parser
Date: Fri, 17 Apr 2009 14:05:11 +0200 [thread overview]
Message-ID: <200904171405.48269.thomas.jarosch@intra2net.com> (raw)
In-Reply-To: <49E58F38.5060103@viscovery.net>
When interpreting a config value, the config parser reads in 1+ space
character(s) and puts -one- space character in the buffer as soon as
the first non-space character is encountered (if not inside quotes).
Unfortunately the buffer size check lacks the extra space character
which gets inserted at the next non-space character, resulting in
a crash with a specially crafted config entry.
The unit test now uses Java to compile a platform independent
.NET framework to output the test string in C# :o) Read:
Thanks to Johannes Sixt for the correct printf call
which replaces the perl invocation.
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
---
config.c | 2 +-
t/t1303-wacky-config.sh | 9 ++++++++-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/config.c b/config.c
index b76fe4c..2d70398 100644
--- a/config.c
+++ b/config.c
@@ -51,7 +51,7 @@ static char *parse_value(void)
for (;;) {
int c = get_next_char();
- if (len >= sizeof(value))
+ if (len >= sizeof(value) - 1)
return NULL;
if (c == '\n') {
if (quote)
diff --git a/t/t1303-wacky-config.sh b/t/t1303-wacky-config.sh
index 1983076..a7d8d25 100755
--- a/t/t1303-wacky-config.sh
+++ b/t/t1303-wacky-config.sh
@@ -10,7 +10,7 @@ setup() {
check() {
echo "$2" >expected
- git config --get "$1" >actual
+ git config --get "$1" >actual 2>&1
test_cmp actual expected
}
@@ -40,4 +40,11 @@ test_expect_success 'make sure git config escapes section names properly' '
check "$SECTION" bar
'
+LONG_VALUE=$(printf "x%01021dx a" 7)
+test_expect_success 'do not crash on special long config line' '
+ setup &&
+ git config section.key "$LONG_VALUE" &&
+ check section.key "fatal: bad config file line 2 in .git/config"
+'
+
test_done
--
1.6.1.3
next prev parent reply other threads:[~2009-04-17 12:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-14 21:28 [PATCH v2] Fix buffer overflow in config parser Thomas Jarosch
2009-04-14 21:41 ` Johannes Schindelin
2009-04-14 21:47 ` Thomas Jarosch
2009-04-15 7:50 ` Jeff King
2009-04-15 7:53 ` Jeff King
2009-04-14 22:38 ` Junio C Hamano
2009-04-15 7:11 ` Johannes Sixt
2009-04-15 7:39 ` Johannes Sixt
2009-04-17 12:05 ` Thomas Jarosch [this message]
2009-04-17 13:16 ` [PATCH v3] " Johannes Schindelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200904171405.48269.thomas.jarosch@intra2net.com \
--to=thomas.jarosch@intra2net.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=j.sixt@viscovery.net \
--cc=markus.heidelberg@web.de \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).