Skip to content

Commit 6bdb008

Browse files
peffgitster
peff
authored and
gitster
committed
daemon: detect and reject too-long paths
When we are checking the path via path_ok(), we use some fixed PATH_MAX buffers. We write into them via snprintf(), so there's no possibility of overflow, but it does mean we may silently truncate the path, leading to potentially confusing errors when the partial path does not exist. We're better off to reject the path explicitly. Signed-off-by: Jeff King <[email protected]> Signed-off-by: Junio C Hamano <[email protected]>
1 parent 0b65a8d commit 6bdb008

File tree

1 file changed

+21
-4
lines changed

1 file changed

+21
-4
lines changed

daemon.c

Lines changed: 21 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -161,6 +161,7 @@ static const char *path_ok(const char *directory, struct hostinfo *hi)
161161
{
162162
static char rpath[PATH_MAX];
163163
static char interp_path[PATH_MAX];
164+
size_t rlen;
164165
const char *path;
165166
const char *dir;
166167

@@ -188,8 +189,12 @@ static const char *path_ok(const char *directory, struct hostinfo *hi)
188189
namlen = slash - dir;
189190
restlen -= namlen;
190191
loginfo("userpath <%s>, request <%s>, namlen %d, restlen %d, slash <%s>", user_path, dir, namlen, restlen, slash);
191-
snprintf(rpath, PATH_MAX, "%.*s/%s%.*s",
192-
namlen, dir, user_path, restlen, slash);
192+
rlen = snprintf(rpath, sizeof(rpath), "%.*s/%s%.*s",
193+
namlen, dir, user_path, restlen, slash);
194+
if (rlen >= sizeof(rpath)) {
195+
logerror("user-path too large: %s", rpath);
196+
return NULL;
197+
}
193198
dir = rpath;
194199
}
195200
}
@@ -208,7 +213,15 @@ static const char *path_ok(const char *directory, struct hostinfo *hi)
208213

209214
strbuf_expand(&expanded_path, interpolated_path,
210215
expand_path, &context);
211-
strlcpy(interp_path, expanded_path.buf, PATH_MAX);
216+
217+
rlen = strlcpy(interp_path, expanded_path.buf,
218+
sizeof(interp_path));
219+
if (rlen >= sizeof(interp_path)) {
220+
logerror("interpolated path too large: %s",
221+
interp_path);
222+
return NULL;
223+
}
224+
212225
strbuf_release(&expanded_path);
213226
loginfo("Interpolated dir '%s'", interp_path);
214227

@@ -220,7 +233,11 @@ static const char *path_ok(const char *directory, struct hostinfo *hi)
220233
logerror("'%s': Non-absolute path denied (base-path active)", dir);
221234
return NULL;
222235
}
223-
snprintf(rpath, PATH_MAX, "%s%s", base_path, dir);
236+
rlen = snprintf(rpath, sizeof(rpath), "%s%s", base_path, dir);
237+
if (rlen >= sizeof(rpath)) {
238+
logerror("base-path too large: %s", rpath);
239+
return NULL;
240+
}
224241
dir = rpath;
225242
}
226243

0 commit comments

Comments
 (0)