From: Jonathan Nieder <jrnieder@gmail.com>
To: Jeff King <peff@peff.net>
Cc: demerphq <demerphq@gmail.com>, Git <git@vger.kernel.org>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Subject: Re: [PATCH 8/7] read_pack_header: handle signed/unsigned comparison in read result
Date: Wed, 13 Sep 2017 12:11:02 -0700 [thread overview]
Message-ID: <20170913191102.GF27425@aiede.mtv.corp.google.com> (raw)
In-Reply-To: <20170913184722.imcexldnufskugqz@sigill.intra.peff.net>
Jeff King wrote:
> Subject: [PATCH] read_pack_header: handle signed/unsigned comparison in read result
>
> The result of read_in_full() may be -1 if we saw an error.
> But in comparing it to a sizeof() result, that "-1" will be
> promoted to size_t. In fact, the largest possible size_t
> which is much bigger than our struct size. This means that
> our "< sizeof(header)" error check won't trigger.
>
> In practice, we'd go on to read uninitialized memory and
> compare it to the PACK signature, which is likely to fail.
> But we shouldn't get there.
>
> We can fix this by making a direct "!=" comparison to the
> requested size, rather than "<". This means that errors get
> lumped in with short reads, but that's sufficient for our
> purposes here. There's no PH_ERROR tp represent our case.
> And anyway, this function reads from pipes and network
> sockets. A network error may racily appear as EOF to us
> anyway if there's data left in the socket buffers.
>
> Signed-off-by: Jeff King <peff@peff.net>
> ---
> sha1_file.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
This patch 8 (but not patches 2-7) is
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Thanks.
An alternative would be to use something like
< (int) sizeof(*header)
to force it to be signed, but I think this is clearer.
Using the following semantic patch, I find this and the example from
patch 1 and no others:
@@
expression fd;
expression buf;
expression len;
size_t rhs;
@@
-read_in_full(fd, buf, len) < rhs
+ERROR()
@@
expression fd;
expression buf;
expression len;
size_t rhs;
@@
-write_in_full(fd, buf, len) < rhs
+ERROR()
Thanks,
Jonathan
> --- a/sha1_file.c
> +++ b/sha1_file.c
> @@ -1850,7 +1850,7 @@ int index_path(struct object_id *oid, const char *path, struct stat *st, unsigne
>
> int read_pack_header(int fd, struct pack_header *header)
> {
> - if (read_in_full(fd, header, sizeof(*header)) < sizeof(*header))
> + if (read_in_full(fd, header, sizeof(*header)) != sizeof(*header))
> /* "eof before pack header was fully read" */
> return PH_ERROR_EOF;
>
prev parent reply other threads:[~2017-09-13 19:11 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-13 11:59 Bug: git branch --unset-upstream command can nuke config when disk is full demerphq
2017-09-13 12:34 ` Jeff King
2017-09-13 13:38 ` demerphq
2017-09-13 14:17 ` Jeff King
2017-09-13 14:49 ` demerphq
2017-09-13 14:51 ` Jeff King
2017-09-13 15:18 ` demerphq
2017-09-13 15:22 ` Jeff King
2017-09-13 15:49 ` demerphq
2017-09-13 17:08 ` [PATCH 0/7] config.c may fail to notice some write() failures Jeff King
2017-09-13 17:11 ` [PATCH 1/7] config: avoid "write_in_full(fd, buf, len) < len" pattern Jeff King
2017-09-13 17:47 ` Jonathan Nieder
2017-09-13 17:53 ` Jeff King
2017-09-13 17:59 ` Jonathan Nieder
2017-09-13 18:11 ` Jeff King
2017-09-13 18:15 ` [PATCH v2] " Jeff King
2017-09-13 18:24 ` Jonathan Nieder
2017-09-13 18:58 ` Jeff King
2017-09-13 19:18 ` Jonathan Nieder
2017-09-13 19:49 ` Jonathan Nieder
2017-09-13 22:43 ` Ramsay Jones
2017-09-13 23:31 ` Ramsay Jones
2017-09-15 0:37 ` Jeff King
2017-09-15 15:15 ` Ramsay Jones
2017-09-13 21:33 ` Junio C Hamano
2017-09-13 17:11 ` [PATCH 2/7] get-tar-commit-id: check write_in_full() return against 0 Jeff King
2017-09-13 17:53 ` Jonathan Nieder
2017-09-13 18:02 ` Jeff King
2017-09-13 18:37 ` Jeff King
2017-09-13 21:09 ` Jonathan Nieder
2017-09-15 0:40 ` Jeff King
2017-09-13 17:16 ` [PATCH 3/7] avoid "write_in_full(fd, buf, len) != len" pattern Jeff King
2017-09-13 21:14 ` Jonathan Nieder
2017-09-15 0:42 ` Jeff King
2017-09-13 17:16 ` [PATCH 4/7] convert less-trivial versions of "write_in_full() != len" Jeff King
2017-09-13 21:16 ` Jonathan Nieder
2017-09-13 17:17 ` [PATCH 5/7] pkt-line: check write_in_full() errors against "< 0" Jeff King
2017-09-13 21:17 ` Jonathan Nieder
2017-09-13 17:17 ` [PATCH 6/7] notes-merge: use ssize_t for write_in_full() return value Jeff King
2017-09-13 21:20 ` Jonathan Nieder
2017-09-15 0:43 ` Jeff King
2017-09-13 17:17 ` [PATCH 7/7] config: flip return value of store_write_*() Jeff King
2017-09-13 21:25 ` Jonathan Nieder
2017-09-15 0:46 ` Jeff King
2017-09-13 18:47 ` [PATCH 8/7] read_pack_header: handle signed/unsigned comparison in read result Jeff King
2017-09-13 19:11 ` Jonathan Nieder [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170913191102.GF27425@aiede.mtv.corp.google.com \
--to=jrnieder@gmail.com \
--cc=avarab@gmail.com \
--cc=demerphq@gmail.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.