From: "René Scharfe" <l.s.r@web.de>
To: Jeff King <peff@peff.net>
Cc: Chandra Pratap via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org, Chandra Pratap <chandrapratap376@gmail.com>,
Chandra Pratap <chandrapratap3519@gmail.com>
Subject: Re: [PATCH] commit.c: ensure strchrnul() doesn't scan beyond range
Date: Thu, 8 Feb 2024 19:31:51 +0100 [thread overview]
Message-ID: <8313d9d6-f6bd-4fae-be9c-e7a8129768eb@web.de> (raw)
In-Reply-To: <20240208010040.GB1059751@coredump.intra.peff.net>
Am 08.02.24 um 02:00 schrieb Jeff King:
> On Mon, Feb 05, 2024 at 08:57:46PM +0100, René Scharfe wrote:
>
>> If you want to make the code work with buffers that lack a terminating
>> NUL then you need to replace the strchrnul() call with something that
>> respects buffer lengths. You could e.g. call memchr(). Don't forget
>> to check for NUL to preserve the original behavior. Or you could roll
>> your own custom replacement, perhaps like this:
>
> I'm not sure it is worth retaining the check for NUL. The original
> function added by me in fe6eb7f2c5 (commit: provide a function to find a
> header in a buffer, 2014-08-27) just took a NUL-terminated string, so
> we certainly were not expecting embedded NULs.
>
> In cfc5cf428b (receive-pack.c: consolidate find header logic,
> 2022-01-06) we switched to taking the "len" parameter, but the new
> caller just passes strlen(msg) anyway.
>
> I guess you could argue that before that commit, receive-pack.c's
> find_header() which took a length was buggy to use strchrnul(). It gets
> fed with a push-cert buffer. I guess it's possible for there to be an
> embedded NUL there, but in practice there shouldn't be. If we are
> thinking of malformed or malicious input, it's not clear which behavior
> (finding or not finding a header past a NUL) is more harmful. So all
> things being equal, I would try to reduce the number of special cases
> here by not worrying about NULs.
>
> (Though if somebody really wants to dig, it's possible there's a clever
> dual-parser attack here where "\nfoo\0bar baz" finds the header "bar
> baz" in one parser but not in another).
Good point. A _mem function shouldn't worry about NULs. Its callers
are responsible for that -- if necessary.
No idea what an attacker could do with nonce and push-option headers
with varying visibility. Version detection? Something worse?
But anyway: If NULs are of no concern and we currently end parsing when
we see one in all cases, why do we need a _mem function at all? The
original version of the function, find_commit_header(), should suffice.
check_nonce() could be run against the NUL-terminated sigcheck.payload
and check_cert_push_options() parses an entire strbuf, so there is no
risk of out-of-bounds access.
René
next prev parent reply other threads:[~2024-02-08 18:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-05 17:21 [PATCH] commit.c: ensure strchrnul() doesn't scan beyond range Chandra Pratap via GitGitGadget
2024-02-05 19:57 ` René Scharfe
2024-02-06 18:44 ` Junio C Hamano
2024-02-08 1:00 ` Jeff King
2024-02-08 18:31 ` René Scharfe [this message]
2024-02-08 19:48 ` Junio C Hamano
2024-02-08 19:52 ` Kyle Lippincott
2024-02-08 21:41 ` Jeff King
2024-02-08 21:44 ` Junio C Hamano
2024-02-06 1:41 ` Kyle Lippincott
2024-02-07 13:57 ` [PATCH v2] commit.c: ensure find_header_mem() doesn't scan beyond given range Chandra Pratap via GitGitGadget
2024-02-07 17:09 ` René Scharfe
2024-02-07 17:23 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8313d9d6-f6bd-4fae-be9c-e7a8129768eb@web.de \
--to=l.s.r@web.de \
--cc=chandrapratap3519@gmail.com \
--cc=chandrapratap376@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).