summaryrefslogtreecommitdiff
path: root/unpack-trees.c
diff options
context:
space:
mode:
authorJeff King <peff@peff.net>2015-08-19 14:12:37 -0400
committerJunio C Hamano <gitster@pobox.com>2015-09-04 08:50:50 -0700
commitf514ef9787f320287d7ba71f2965127b9d8b3832 (patch)
treeb0e16e72ca7b4b9b84874b838930da61796ab587 /unpack-trees.c
parentfdf96a20acf96a6ac538df8113b2aafd6ed71d50 (diff)
downloadgit-f514ef9787f320287d7ba71f2965127b9d8b3832.tar.gz
verify_absent: allow filenames longer than PATH_MAX
When unpack-trees wants to know whether a path will overwrite anything in the working tree, we use lstat() to see if there is anything there. But if we are going to write "foo/bar", we can't just lstat("foo/bar"); we need to look for leading prefixes (e.g., "foo"). So we use the lstat cache to find the length of the leading prefix, and copy the filename up to that length into a temporary buffer (since the original name is const, we cannot just stick a NUL in it). The copy we make goes into a PATH_MAX-sized buffer, which will overflow if the prefix is longer than PATH_MAX. How this happens is a little tricky, since in theory PATH_MAX is the biggest path we will have read from the filesystem. But this can happen if: - the compiled-in PATH_MAX does not accurately reflect what the filesystem is capable of - the leading prefix is not _quite_ what is on disk; it contains the next element from the name we are checking. So if we want to write "aaa/bbb/ccc/ddd" and "aaa/bbb" exists, the prefix of interest is "aaa/bbb/ccc". If "aaa/bbb" approaches PATH_MAX, then "ccc" can overflow it. So this can be triggered, but it's hard to do. In particular, you cannot just "git clone" a bogus repo. The verify_absent checks happen before unpack-trees writes anything to the filesystem, so there are never any leading prefixes during the initial checkout, and the bug doesn't trigger. And by definition, these files are larger than PATH_MAX, so writing them will fail, and clone will complain (though it may write a partial path, which will cause a subsequent "git checkout" to hit the bug). We can fix it by creating the temporary path on the heap. The extra malloc overhead is not important, as we are already making at least one stat() call (and probably more for the prefix discovery). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'unpack-trees.c')
-rw-r--r--unpack-trees.c17
1 files changed, 10 insertions, 7 deletions
diff --git a/unpack-trees.c b/unpack-trees.c
index 256df47b35..4a6347899c 100644
--- a/unpack-trees.c
+++ b/unpack-trees.c
@@ -1432,15 +1432,18 @@ static int verify_absent_1(const struct cache_entry *ce,
if (!len)
return 0;
else if (len > 0) {
- char path[PATH_MAX + 1];
- memcpy(path, ce->name, len);
- path[len] = 0;
+ char *path;
+ int ret;
+
+ path = xmemdupz(ce->name, len);
if (lstat(path, &st))
- return error("cannot stat '%s': %s", path,
+ ret = error("cannot stat '%s': %s", path,
strerror(errno));
-
- return check_ok_to_remove(path, len, DT_UNKNOWN, NULL, &st,
- error_type, o);
+ else
+ ret = check_ok_to_remove(path, len, DT_UNKNOWN, NULL,
+ &st, error_type, o);
+ free(path);
+ return ret;
} else if (lstat(ce->name, &st)) {
if (errno != ENOENT)
return error("cannot stat '%s': %s", ce->name,