Re: [PATCH v4 10/32] cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN
On Fri, Sep 12, 2014 at 10:13 AM, Michael Haggerty wrote:
> On 09/12/2014 12:42 AM, Ronnie Sahlberg wrote:
>> Maybe we should not have a public constant defined for the length :
>> +#define LOCK_SUFFIX_LEN 5
>>
>> since it encourages unsafe code like : (this was unsafe long before
>> your patch so not a regression)
>> + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */
>> result_file[i] = 0;
>>
>>
>>
>> What about removing LOCK_SUFFIX_LEN from the public API and introduce
>> a helper function something like :
>>
>>
>> /* pointer to the character where the lock suffix starts */
>> char *lock_suffix_ptr_safe(const char *filename)
>> {
>> size_t len = strlen(filename);
>> if (len < 5)
>>die("BUG:...
>> if (strcmp(filename + len - 5, LOCK_SUFFIX)
>>die("BUG:...
>> return filename + len - 5;
>> }
>>
>> and use it instead?
>
> At the end of this patch series, LOCK_SUFFIX_LEN is only used in two
> places outside of lockfile.c:
>
> * In check_refname_component(), to ensure that no component of a
> reference name ends with ".lock". This only indirectly has anything to
> do with lockfiles.
>
> * In delete_ref_loose(), to derive the name of the loose reference file
> from the name of the lockfile. It immediately xmemdupz()s the part of
> the filename that it needs, so it is kosher.
>
> I will add a function get_locked_file_path() for the use of the second
> caller.
>
> I like being able to use the symbolic constant at the first caller, and
> it is not dangerous. I don't think it is so important to make the
> constant private, because I think somebody programming sloppily wouldn't
> be deterred for long by not seeing a symbolic constant for the suffix
> length. So if it's OK with you I'll leave the constant.
It is OK with me.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 10/32] cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN
On 09/12/2014 12:42 AM, Ronnie Sahlberg wrote:
> Maybe we should not have a public constant defined for the length :
> +#define LOCK_SUFFIX_LEN 5
>
> since it encourages unsafe code like : (this was unsafe long before
> your patch so not a regression)
> + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */
> result_file[i] = 0;
>
>
>
> What about removing LOCK_SUFFIX_LEN from the public API and introduce
> a helper function something like :
>
>
> /* pointer to the character where the lock suffix starts */
> char *lock_suffix_ptr_safe(const char *filename)
> {
> size_t len = strlen(filename);
> if (len < 5)
>die("BUG:...
> if (strcmp(filename + len - 5, LOCK_SUFFIX)
>die("BUG:...
> return filename + len - 5;
> }
>
> and use it instead?
At the end of this patch series, LOCK_SUFFIX_LEN is only used in two
places outside of lockfile.c:
* In check_refname_component(), to ensure that no component of a
reference name ends with ".lock". This only indirectly has anything to
do with lockfiles.
* In delete_ref_loose(), to derive the name of the loose reference file
from the name of the lockfile. It immediately xmemdupz()s the part of
the filename that it needs, so it is kosher.
I will add a function get_locked_file_path() for the use of the second
caller.
I like being able to use the symbolic constant at the first caller, and
it is not dangerous. I don't think it is so important to make the
constant private, because I think somebody programming sloppily wouldn't
be deterred for long by not seeing a symbolic constant for the suffix
length. So if it's OK with you I'll leave the constant.
Michael
--
Michael Haggerty
mhag...@alum.mit.edu
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 10/32] cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN
On 09/12/2014 12:15 AM, Ronnie Sahlberg wrote:
> On Sat, Sep 6, 2014 at 12:50 AM, Michael Haggerty
> wrote:
>> There are a few places that use these values, so define constants for
>> them.
>>
>> Signed-off-by: Michael Haggerty
>> ---
>> cache.h| 4
>> lockfile.c | 11 ++-
>> refs.c | 7 ---
>> 3 files changed, 14 insertions(+), 8 deletions(-)
>>
>> diff --git a/cache.h b/cache.h
>> index da77094..41d829b 100644
>> --- a/cache.h
>> +++ b/cache.h
>> @@ -569,6 +569,10 @@ extern void fill_stat_cache_info(struct cache_entry
>> *ce, struct stat *st);
>> #define REFRESH_IN_PORCELAIN 0x0020 /* user friendly output, not "needs
>> update" */
>> extern int refresh_index(struct index_state *, unsigned int flags, const
>> struct pathspec *pathspec, char *seen, const char *header_msg);
>>
>> +/* String appended to a filename to derive the lockfile name: */
>> +#define LOCK_SUFFIX ".lock"
>> +#define LOCK_SUFFIX_LEN 5
>> +
>> struct lock_file {
>> struct lock_file *next;
>> int fd;
>> diff --git a/lockfile.c b/lockfile.c
>> index 964b3fc..bfea333 100644
>> --- a/lockfile.c
>> +++ b/lockfile.c
>> @@ -176,10 +176,11 @@ static char *resolve_symlink(char *p, size_t s)
>> static int lock_file(struct lock_file *lk, const char *path, int flags)
>> {
>> /*
>> -* subtract 5 from size to make sure there's room for adding
>> -* ".lock" for the lock file name
>> +* subtract LOCK_SUFFIX_LEN from size to make sure there's
>> +* room for adding ".lock" for the lock file name:
>> */
>> - static const size_t max_path_len = sizeof(lk->filename) - 5;
>> + static const size_t max_path_len = sizeof(lk->filename) -
>> + LOCK_SUFFIX_LEN;
>>
>> if (!lock_file_list) {
>> /* One-time initialization */
>> @@ -204,7 +205,7 @@ static int lock_file(struct lock_file *lk, const char
>> *path, int flags)
>> strcpy(lk->filename, path);
>> if (!(flags & LOCK_NODEREF))
>> resolve_symlink(lk->filename, max_path_len);
>> - strcat(lk->filename, ".lock");
>> + strcat(lk->filename, LOCK_SUFFIX);
>> lk->fd = open(lk->filename, O_RDWR | O_CREAT | O_EXCL, 0666);
>> if (0 <= lk->fd) {
>> lk->owner = getpid();
>> @@ -314,7 +315,7 @@ int commit_lock_file(struct lock_file *lk)
>> if (lk->fd >= 0 && close_lock_file(lk))
>> return -1;
>> strcpy(result_file, lk->filename);
>> - i = strlen(result_file) - 5; /* .lock */
>> + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */
>
> Not a new bug since the previous code is broken too.
> Should probably checkstrlen(result_file) >= 5 here before subtracting 5.
>
> Otherwise, a caller that calls commit_lock_file() with an already
> committed/closed lock_file can cause writing outside the bounds of
> the array on the line below.
Good catch; thanks. I will fix this in the reroll (though probably in a
later patch).
>> [...]
Michael
--
Michael Haggerty
mhag...@alum.mit.edu
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 10/32] cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN
Maybe we should not have a public constant defined for the length :
+#define LOCK_SUFFIX_LEN 5
since it encourages unsafe code like : (this was unsafe long before
your patch so not a regression)
+ i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */
result_file[i] = 0;
What about removing LOCK_SUFFIX_LEN from the public API and introduce
a helper function something like :
/* pointer to the character where the lock suffix starts */
char *lock_suffix_ptr_safe(const char *filename)
{
size_t len = strlen(filename);
if (len < 5)
die("BUG:...
if (strcmp(filename + len - 5, LOCK_SUFFIX)
die("BUG:...
return filename + len - 5;
}
and use it instead?
On Sat, Sep 6, 2014 at 12:50 AM, Michael Haggerty wrote:
> There are a few places that use these values, so define constants for
> them.
>
> Signed-off-by: Michael Haggerty
> ---
> cache.h| 4
> lockfile.c | 11 ++-
> refs.c | 7 ---
> 3 files changed, 14 insertions(+), 8 deletions(-)
>
> diff --git a/cache.h b/cache.h
> index da77094..41d829b 100644
> --- a/cache.h
> +++ b/cache.h
> @@ -569,6 +569,10 @@ extern void fill_stat_cache_info(struct cache_entry *ce,
> struct stat *st);
> #define REFRESH_IN_PORCELAIN 0x0020 /* user friendly output, not "needs
> update" */
> extern int refresh_index(struct index_state *, unsigned int flags, const
> struct pathspec *pathspec, char *seen, const char *header_msg);
>
> +/* String appended to a filename to derive the lockfile name: */
> +#define LOCK_SUFFIX ".lock"
> +#define LOCK_SUFFIX_LEN 5
> +
> struct lock_file {
> struct lock_file *next;
> int fd;
> diff --git a/lockfile.c b/lockfile.c
> index 964b3fc..bfea333 100644
> --- a/lockfile.c
> +++ b/lockfile.c
> @@ -176,10 +176,11 @@ static char *resolve_symlink(char *p, size_t s)
> static int lock_file(struct lock_file *lk, const char *path, int flags)
> {
> /*
> -* subtract 5 from size to make sure there's room for adding
> -* ".lock" for the lock file name
> +* subtract LOCK_SUFFIX_LEN from size to make sure there's
> +* room for adding ".lock" for the lock file name:
> */
> - static const size_t max_path_len = sizeof(lk->filename) - 5;
> + static const size_t max_path_len = sizeof(lk->filename) -
> + LOCK_SUFFIX_LEN;
>
> if (!lock_file_list) {
> /* One-time initialization */
> @@ -204,7 +205,7 @@ static int lock_file(struct lock_file *lk, const char
> *path, int flags)
> strcpy(lk->filename, path);
> if (!(flags & LOCK_NODEREF))
> resolve_symlink(lk->filename, max_path_len);
> - strcat(lk->filename, ".lock");
> + strcat(lk->filename, LOCK_SUFFIX);
> lk->fd = open(lk->filename, O_RDWR | O_CREAT | O_EXCL, 0666);
> if (0 <= lk->fd) {
> lk->owner = getpid();
> @@ -314,7 +315,7 @@ int commit_lock_file(struct lock_file *lk)
> if (lk->fd >= 0 && close_lock_file(lk))
> return -1;
> strcpy(result_file, lk->filename);
> - i = strlen(result_file) - 5; /* .lock */
> + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */
> result_file[i] = 0;
> if (rename(lk->filename, result_file))
> return -1;
> diff --git a/refs.c b/refs.c
> index 5ae8e69..828522d 100644
> --- a/refs.c
> +++ b/refs.c
> @@ -74,7 +74,8 @@ out:
> if (refname[1] == '\0')
> return -1; /* Component equals ".". */
> }
> - if (cp - refname >= 5 && !memcmp(cp - 5, ".lock", 5))
> + if (cp - refname >= LOCK_SUFFIX_LEN &&
> + !memcmp(cp - LOCK_SUFFIX_LEN, LOCK_SUFFIX, LOCK_SUFFIX_LEN))
> return -1; /* Refname ends with ".lock". */
> return cp - refname;
> }
> @@ -2545,11 +2546,11 @@ static int delete_ref_loose(struct ref_lock *lock,
> int flag)
> {
> if (!(flag & REF_ISPACKED) || flag & REF_ISSYMREF) {
> /* loose */
> - int err, i = strlen(lock->lk->filename) - 5; /* .lock */
> + int err, i = strlen(lock->lk->filename) - LOCK_SUFFIX_LEN;
>
> lock->lk->filename[i] = 0;
> err = unlink_or_warn(lock->lk->filename);
> - lock->lk->filename[i] = '.';
> + lock->lk->filename[i] = LOCK_SUFFIX[0];
> if (err && errno != ENOENT)
> return 1;
> }
> --
> 2.1.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 10/32] cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN
On Sat, Sep 6, 2014 at 12:50 AM, Michael Haggerty wrote:
> There are a few places that use these values, so define constants for
> them.
>
> Signed-off-by: Michael Haggerty
> ---
> cache.h| 4
> lockfile.c | 11 ++-
> refs.c | 7 ---
> 3 files changed, 14 insertions(+), 8 deletions(-)
>
> diff --git a/cache.h b/cache.h
> index da77094..41d829b 100644
> --- a/cache.h
> +++ b/cache.h
> @@ -569,6 +569,10 @@ extern void fill_stat_cache_info(struct cache_entry *ce,
> struct stat *st);
> #define REFRESH_IN_PORCELAIN 0x0020 /* user friendly output, not "needs
> update" */
> extern int refresh_index(struct index_state *, unsigned int flags, const
> struct pathspec *pathspec, char *seen, const char *header_msg);
>
> +/* String appended to a filename to derive the lockfile name: */
> +#define LOCK_SUFFIX ".lock"
> +#define LOCK_SUFFIX_LEN 5
> +
> struct lock_file {
> struct lock_file *next;
> int fd;
> diff --git a/lockfile.c b/lockfile.c
> index 964b3fc..bfea333 100644
> --- a/lockfile.c
> +++ b/lockfile.c
> @@ -176,10 +176,11 @@ static char *resolve_symlink(char *p, size_t s)
> static int lock_file(struct lock_file *lk, const char *path, int flags)
> {
> /*
> -* subtract 5 from size to make sure there's room for adding
> -* ".lock" for the lock file name
> +* subtract LOCK_SUFFIX_LEN from size to make sure there's
> +* room for adding ".lock" for the lock file name:
> */
> - static const size_t max_path_len = sizeof(lk->filename) - 5;
> + static const size_t max_path_len = sizeof(lk->filename) -
> + LOCK_SUFFIX_LEN;
>
> if (!lock_file_list) {
> /* One-time initialization */
> @@ -204,7 +205,7 @@ static int lock_file(struct lock_file *lk, const char
> *path, int flags)
> strcpy(lk->filename, path);
> if (!(flags & LOCK_NODEREF))
> resolve_symlink(lk->filename, max_path_len);
> - strcat(lk->filename, ".lock");
> + strcat(lk->filename, LOCK_SUFFIX);
> lk->fd = open(lk->filename, O_RDWR | O_CREAT | O_EXCL, 0666);
> if (0 <= lk->fd) {
> lk->owner = getpid();
> @@ -314,7 +315,7 @@ int commit_lock_file(struct lock_file *lk)
> if (lk->fd >= 0 && close_lock_file(lk))
> return -1;
> strcpy(result_file, lk->filename);
> - i = strlen(result_file) - 5; /* .lock */
> + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */
Not a new bug since the previous code is broken too.
Should probably checkstrlen(result_file) >= 5 here before subtracting 5.
Otherwise, a caller that calls commit_lock_file() with an already
committed/closed lock_file can cause writing outside the bounds of
the array on the line below.
> result_file[i] = 0;
> if (rename(lk->filename, result_file))
> return -1;
> diff --git a/refs.c b/refs.c
> index 5ae8e69..828522d 100644
> --- a/refs.c
> +++ b/refs.c
> @@ -74,7 +74,8 @@ out:
> if (refname[1] == '\0')
> return -1; /* Component equals ".". */
> }
> - if (cp - refname >= 5 && !memcmp(cp - 5, ".lock", 5))
> + if (cp - refname >= LOCK_SUFFIX_LEN &&
> + !memcmp(cp - LOCK_SUFFIX_LEN, LOCK_SUFFIX, LOCK_SUFFIX_LEN))
> return -1; /* Refname ends with ".lock". */
> return cp - refname;
> }
> @@ -2545,11 +2546,11 @@ static int delete_ref_loose(struct ref_lock *lock,
> int flag)
> {
> if (!(flag & REF_ISPACKED) || flag & REF_ISSYMREF) {
> /* loose */
> - int err, i = strlen(lock->lk->filename) - 5; /* .lock */
> + int err, i = strlen(lock->lk->filename) - LOCK_SUFFIX_LEN;
>
> lock->lk->filename[i] = 0;
> err = unlink_or_warn(lock->lk->filename);
> - lock->lk->filename[i] = '.';
> + lock->lk->filename[i] = LOCK_SUFFIX[0];
> if (err && errno != ENOENT)
> return 1;
> }
> --
> 2.1.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v4 10/32] cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN
There are a few places that use these values, so define constants for
them.
Signed-off-by: Michael Haggerty
---
cache.h| 4
lockfile.c | 11 ++-
refs.c | 7 ---
3 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/cache.h b/cache.h
index da77094..41d829b 100644
--- a/cache.h
+++ b/cache.h
@@ -569,6 +569,10 @@ extern void fill_stat_cache_info(struct cache_entry *ce,
struct stat *st);
#define REFRESH_IN_PORCELAIN 0x0020 /* user friendly output, not "needs
update" */
extern int refresh_index(struct index_state *, unsigned int flags, const
struct pathspec *pathspec, char *seen, const char *header_msg);
+/* String appended to a filename to derive the lockfile name: */
+#define LOCK_SUFFIX ".lock"
+#define LOCK_SUFFIX_LEN 5
+
struct lock_file {
struct lock_file *next;
int fd;
diff --git a/lockfile.c b/lockfile.c
index 964b3fc..bfea333 100644
--- a/lockfile.c
+++ b/lockfile.c
@@ -176,10 +176,11 @@ static char *resolve_symlink(char *p, size_t s)
static int lock_file(struct lock_file *lk, const char *path, int flags)
{
/*
-* subtract 5 from size to make sure there's room for adding
-* ".lock" for the lock file name
+* subtract LOCK_SUFFIX_LEN from size to make sure there's
+* room for adding ".lock" for the lock file name:
*/
- static const size_t max_path_len = sizeof(lk->filename) - 5;
+ static const size_t max_path_len = sizeof(lk->filename) -
+ LOCK_SUFFIX_LEN;
if (!lock_file_list) {
/* One-time initialization */
@@ -204,7 +205,7 @@ static int lock_file(struct lock_file *lk, const char
*path, int flags)
strcpy(lk->filename, path);
if (!(flags & LOCK_NODEREF))
resolve_symlink(lk->filename, max_path_len);
- strcat(lk->filename, ".lock");
+ strcat(lk->filename, LOCK_SUFFIX);
lk->fd = open(lk->filename, O_RDWR | O_CREAT | O_EXCL, 0666);
if (0 <= lk->fd) {
lk->owner = getpid();
@@ -314,7 +315,7 @@ int commit_lock_file(struct lock_file *lk)
if (lk->fd >= 0 && close_lock_file(lk))
return -1;
strcpy(result_file, lk->filename);
- i = strlen(result_file) - 5; /* .lock */
+ i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */
result_file[i] = 0;
if (rename(lk->filename, result_file))
return -1;
diff --git a/refs.c b/refs.c
index 5ae8e69..828522d 100644
--- a/refs.c
+++ b/refs.c
@@ -74,7 +74,8 @@ out:
if (refname[1] == '\0')
return -1; /* Component equals ".". */
}
- if (cp - refname >= 5 && !memcmp(cp - 5, ".lock", 5))
+ if (cp - refname >= LOCK_SUFFIX_LEN &&
+ !memcmp(cp - LOCK_SUFFIX_LEN, LOCK_SUFFIX, LOCK_SUFFIX_LEN))
return -1; /* Refname ends with ".lock". */
return cp - refname;
}
@@ -2545,11 +2546,11 @@ static int delete_ref_loose(struct ref_lock *lock, int
flag)
{
if (!(flag & REF_ISPACKED) || flag & REF_ISSYMREF) {
/* loose */
- int err, i = strlen(lock->lk->filename) - 5; /* .lock */
+ int err, i = strlen(lock->lk->filename) - LOCK_SUFFIX_LEN;
lock->lk->filename[i] = 0;
err = unlink_or_warn(lock->lk->filename);
- lock->lk->filename[i] = '.';
+ lock->lk->filename[i] = LOCK_SUFFIX[0];
if (err && errno != ENOENT)
return 1;
}
--
2.1.0
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
