From: Jeff King <peff@peff.net>
To: Junio C Hamano <gitster@pobox.com>
Cc: "René Scharfe" <l.s.r@web.de>,
"Chandra Pratap via GitGitGadget" <gitgitgadget@gmail.com>,
git@vger.kernel.org,
"Chandra Pratap" <chandrapratap376@gmail.com>,
"Chandra Pratap" <chandrapratap3519@gmail.com>
Subject: Re: [PATCH] commit.c: ensure strchrnul() doesn't scan beyond range
Date: Thu, 8 Feb 2024 16:41:37 -0500 [thread overview]
Message-ID: <20240208214137.GB1090198@coredump.intra.peff.net> (raw)
In-Reply-To: <xmqqil2yn3ey.fsf@gitster.g>
On Thu, Feb 08, 2024 at 11:48:05AM -0800, Junio C Hamano wrote:
> René Scharfe <l.s.r@web.de> writes:
>
> > But anyway: If NULs are of no concern and we currently end parsing when
> > we see one in all cases, why do we need a _mem function at all? The
> > original version of the function, find_commit_header(), should suffice.
> > check_nonce() could be run against the NUL-terminated sigcheck.payload
> > and check_cert_push_options() parses an entire strbuf, so there is no
> > risk of out-of-bounds access.
>
> If I recall correctly, the caller that does not pass strlen() as the
> payload length gives a length that is shorter than the buffer, i.e.
> "stop the parsing here, do not get confused into thinking the
> garbage after this point contains useful payload" was the reason why
> we have a separate "len".
Yes, check_nonce() passes in a length limited by the start of the actual
signature, as determined by parse_signed_buffer(). Though that generally
comes after a blank line, which would also stop find_header() from
parsing further.
But more interestingly: even though we pass a buf/len pair to
parse_signed_buffer(), it then calls get_format_by_sig() which takes
only a NUL-terminated string. So:
1. It is not possible for the buf/len pair we pass to check_nonce() to
contain a NUL. And thus there is no caller of find_header_mem()
that can contain an embedded NUL. So switching from strchrnul() to
just memchr() should be OK there.
2. That raises the question of whether parse_signed_buffer() has a
similar walk-too-far problem. ;) The answer is no, because we feed
it from a strbuf. But it's not a great pattern overall.
-Peff
next prev parent reply other threads:[~2024-02-08 21:41 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-05 17:21 [PATCH] commit.c: ensure strchrnul() doesn't scan beyond range Chandra Pratap via GitGitGadget
2024-02-05 19:57 ` René Scharfe
2024-02-06 18:44 ` Junio C Hamano
2024-02-08 1:00 ` Jeff King
2024-02-08 18:31 ` René Scharfe
2024-02-08 19:48 ` Junio C Hamano
2024-02-08 19:52 ` Kyle Lippincott
2024-02-08 21:41 ` Jeff King [this message]
2024-02-08 21:44 ` Junio C Hamano
2024-02-06 1:41 ` Kyle Lippincott
2024-02-07 13:57 ` [PATCH v2] commit.c: ensure find_header_mem() doesn't scan beyond given range Chandra Pratap via GitGitGadget
2024-02-07 17:09 ` René Scharfe
2024-02-07 17:23 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240208214137.GB1090198@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=chandrapratap3519@gmail.com \
--cc=chandrapratap376@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitster@pobox.com \
--cc=l.s.r@web.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).