Re: [PATCH v4 10/32] cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN
On Fri, Sep 12, 2014 at 10:13 AM, Michael Haggerty wrote: > On 09/12/2014 12:42 AM, Ronnie Sahlberg wrote: >> Maybe we should not have a public constant defined for the length : >> +#define LOCK_SUFFIX_LEN 5 >> >> since it encourages unsafe code like : (this was unsafe long before >> your patch so not a regression) >> + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */ >> result_file[i] = 0; >> >> >> >> What about removing LOCK_SUFFIX_LEN from the public API and introduce >> a helper function something like : >> >> >> /* pointer to the character where the lock suffix starts */ >> char *lock_suffix_ptr_safe(const char *filename) >> { >> size_t len = strlen(filename); >> if (len < 5) >>die("BUG:... >> if (strcmp(filename + len - 5, LOCK_SUFFIX) >>die("BUG:... >> return filename + len - 5; >> } >> >> and use it instead? > > At the end of this patch series, LOCK_SUFFIX_LEN is only used in two > places outside of lockfile.c: > > * In check_refname_component(), to ensure that no component of a > reference name ends with ".lock". This only indirectly has anything to > do with lockfiles. > > * In delete_ref_loose(), to derive the name of the loose reference file > from the name of the lockfile. It immediately xmemdupz()s the part of > the filename that it needs, so it is kosher. > > I will add a function get_locked_file_path() for the use of the second > caller. > > I like being able to use the symbolic constant at the first caller, and > it is not dangerous. I don't think it is so important to make the > constant private, because I think somebody programming sloppily wouldn't > be deterred for long by not seeing a symbolic constant for the suffix > length. So if it's OK with you I'll leave the constant. It is OK with me. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 10/32] cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN
On 09/12/2014 12:42 AM, Ronnie Sahlberg wrote: > Maybe we should not have a public constant defined for the length : > +#define LOCK_SUFFIX_LEN 5 > > since it encourages unsafe code like : (this was unsafe long before > your patch so not a regression) > + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */ > result_file[i] = 0; > > > > What about removing LOCK_SUFFIX_LEN from the public API and introduce > a helper function something like : > > > /* pointer to the character where the lock suffix starts */ > char *lock_suffix_ptr_safe(const char *filename) > { > size_t len = strlen(filename); > if (len < 5) >die("BUG:... > if (strcmp(filename + len - 5, LOCK_SUFFIX) >die("BUG:... > return filename + len - 5; > } > > and use it instead? At the end of this patch series, LOCK_SUFFIX_LEN is only used in two places outside of lockfile.c: * In check_refname_component(), to ensure that no component of a reference name ends with ".lock". This only indirectly has anything to do with lockfiles. * In delete_ref_loose(), to derive the name of the loose reference file from the name of the lockfile. It immediately xmemdupz()s the part of the filename that it needs, so it is kosher. I will add a function get_locked_file_path() for the use of the second caller. I like being able to use the symbolic constant at the first caller, and it is not dangerous. I don't think it is so important to make the constant private, because I think somebody programming sloppily wouldn't be deterred for long by not seeing a symbolic constant for the suffix length. So if it's OK with you I'll leave the constant. Michael -- Michael Haggerty mhag...@alum.mit.edu -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 10/32] cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN
On 09/12/2014 12:15 AM, Ronnie Sahlberg wrote: > On Sat, Sep 6, 2014 at 12:50 AM, Michael Haggerty > wrote: >> There are a few places that use these values, so define constants for >> them. >> >> Signed-off-by: Michael Haggerty >> --- >> cache.h| 4 >> lockfile.c | 11 ++- >> refs.c | 7 --- >> 3 files changed, 14 insertions(+), 8 deletions(-) >> >> diff --git a/cache.h b/cache.h >> index da77094..41d829b 100644 >> --- a/cache.h >> +++ b/cache.h >> @@ -569,6 +569,10 @@ extern void fill_stat_cache_info(struct cache_entry >> *ce, struct stat *st); >> #define REFRESH_IN_PORCELAIN 0x0020 /* user friendly output, not "needs >> update" */ >> extern int refresh_index(struct index_state *, unsigned int flags, const >> struct pathspec *pathspec, char *seen, const char *header_msg); >> >> +/* String appended to a filename to derive the lockfile name: */ >> +#define LOCK_SUFFIX ".lock" >> +#define LOCK_SUFFIX_LEN 5 >> + >> struct lock_file { >> struct lock_file *next; >> int fd; >> diff --git a/lockfile.c b/lockfile.c >> index 964b3fc..bfea333 100644 >> --- a/lockfile.c >> +++ b/lockfile.c >> @@ -176,10 +176,11 @@ static char *resolve_symlink(char *p, size_t s) >> static int lock_file(struct lock_file *lk, const char *path, int flags) >> { >> /* >> -* subtract 5 from size to make sure there's room for adding >> -* ".lock" for the lock file name >> +* subtract LOCK_SUFFIX_LEN from size to make sure there's >> +* room for adding ".lock" for the lock file name: >> */ >> - static const size_t max_path_len = sizeof(lk->filename) - 5; >> + static const size_t max_path_len = sizeof(lk->filename) - >> + LOCK_SUFFIX_LEN; >> >> if (!lock_file_list) { >> /* One-time initialization */ >> @@ -204,7 +205,7 @@ static int lock_file(struct lock_file *lk, const char >> *path, int flags) >> strcpy(lk->filename, path); >> if (!(flags & LOCK_NODEREF)) >> resolve_symlink(lk->filename, max_path_len); >> - strcat(lk->filename, ".lock"); >> + strcat(lk->filename, LOCK_SUFFIX); >> lk->fd = open(lk->filename, O_RDWR | O_CREAT | O_EXCL, 0666); >> if (0 <= lk->fd) { >> lk->owner = getpid(); >> @@ -314,7 +315,7 @@ int commit_lock_file(struct lock_file *lk) >> if (lk->fd >= 0 && close_lock_file(lk)) >> return -1; >> strcpy(result_file, lk->filename); >> - i = strlen(result_file) - 5; /* .lock */ >> + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */ > > Not a new bug since the previous code is broken too. > Should probably checkstrlen(result_file) >= 5 here before subtracting 5. > > Otherwise, a caller that calls commit_lock_file() with an already > committed/closed lock_file can cause writing outside the bounds of > the array on the line below. Good catch; thanks. I will fix this in the reroll (though probably in a later patch). >> [...] Michael -- Michael Haggerty mhag...@alum.mit.edu -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 10/32] cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN
Maybe we should not have a public constant defined for the length : +#define LOCK_SUFFIX_LEN 5 since it encourages unsafe code like : (this was unsafe long before your patch so not a regression) + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */ result_file[i] = 0; What about removing LOCK_SUFFIX_LEN from the public API and introduce a helper function something like : /* pointer to the character where the lock suffix starts */ char *lock_suffix_ptr_safe(const char *filename) { size_t len = strlen(filename); if (len < 5) die("BUG:... if (strcmp(filename + len - 5, LOCK_SUFFIX) die("BUG:... return filename + len - 5; } and use it instead? On Sat, Sep 6, 2014 at 12:50 AM, Michael Haggerty wrote: > There are a few places that use these values, so define constants for > them. > > Signed-off-by: Michael Haggerty > --- > cache.h| 4 > lockfile.c | 11 ++- > refs.c | 7 --- > 3 files changed, 14 insertions(+), 8 deletions(-) > > diff --git a/cache.h b/cache.h > index da77094..41d829b 100644 > --- a/cache.h > +++ b/cache.h > @@ -569,6 +569,10 @@ extern void fill_stat_cache_info(struct cache_entry *ce, > struct stat *st); > #define REFRESH_IN_PORCELAIN 0x0020 /* user friendly output, not "needs > update" */ > extern int refresh_index(struct index_state *, unsigned int flags, const > struct pathspec *pathspec, char *seen, const char *header_msg); > > +/* String appended to a filename to derive the lockfile name: */ > +#define LOCK_SUFFIX ".lock" > +#define LOCK_SUFFIX_LEN 5 > + > struct lock_file { > struct lock_file *next; > int fd; > diff --git a/lockfile.c b/lockfile.c > index 964b3fc..bfea333 100644 > --- a/lockfile.c > +++ b/lockfile.c > @@ -176,10 +176,11 @@ static char *resolve_symlink(char *p, size_t s) > static int lock_file(struct lock_file *lk, const char *path, int flags) > { > /* > -* subtract 5 from size to make sure there's room for adding > -* ".lock" for the lock file name > +* subtract LOCK_SUFFIX_LEN from size to make sure there's > +* room for adding ".lock" for the lock file name: > */ > - static const size_t max_path_len = sizeof(lk->filename) - 5; > + static const size_t max_path_len = sizeof(lk->filename) - > + LOCK_SUFFIX_LEN; > > if (!lock_file_list) { > /* One-time initialization */ > @@ -204,7 +205,7 @@ static int lock_file(struct lock_file *lk, const char > *path, int flags) > strcpy(lk->filename, path); > if (!(flags & LOCK_NODEREF)) > resolve_symlink(lk->filename, max_path_len); > - strcat(lk->filename, ".lock"); > + strcat(lk->filename, LOCK_SUFFIX); > lk->fd = open(lk->filename, O_RDWR | O_CREAT | O_EXCL, 0666); > if (0 <= lk->fd) { > lk->owner = getpid(); > @@ -314,7 +315,7 @@ int commit_lock_file(struct lock_file *lk) > if (lk->fd >= 0 && close_lock_file(lk)) > return -1; > strcpy(result_file, lk->filename); > - i = strlen(result_file) - 5; /* .lock */ > + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */ > result_file[i] = 0; > if (rename(lk->filename, result_file)) > return -1; > diff --git a/refs.c b/refs.c > index 5ae8e69..828522d 100644 > --- a/refs.c > +++ b/refs.c > @@ -74,7 +74,8 @@ out: > if (refname[1] == '\0') > return -1; /* Component equals ".". */ > } > - if (cp - refname >= 5 && !memcmp(cp - 5, ".lock", 5)) > + if (cp - refname >= LOCK_SUFFIX_LEN && > + !memcmp(cp - LOCK_SUFFIX_LEN, LOCK_SUFFIX, LOCK_SUFFIX_LEN)) > return -1; /* Refname ends with ".lock". */ > return cp - refname; > } > @@ -2545,11 +2546,11 @@ static int delete_ref_loose(struct ref_lock *lock, > int flag) > { > if (!(flag & REF_ISPACKED) || flag & REF_ISSYMREF) { > /* loose */ > - int err, i = strlen(lock->lk->filename) - 5; /* .lock */ > + int err, i = strlen(lock->lk->filename) - LOCK_SUFFIX_LEN; > > lock->lk->filename[i] = 0; > err = unlink_or_warn(lock->lk->filename); > - lock->lk->filename[i] = '.'; > + lock->lk->filename[i] = LOCK_SUFFIX[0]; > if (err && errno != ENOENT) > return 1; > } > -- > 2.1.0 > > -- > To unsubscribe from this list: send the line "unsubscribe git" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 10/32] cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN
On Sat, Sep 6, 2014 at 12:50 AM, Michael Haggerty wrote: > There are a few places that use these values, so define constants for > them. > > Signed-off-by: Michael Haggerty > --- > cache.h| 4 > lockfile.c | 11 ++- > refs.c | 7 --- > 3 files changed, 14 insertions(+), 8 deletions(-) > > diff --git a/cache.h b/cache.h > index da77094..41d829b 100644 > --- a/cache.h > +++ b/cache.h > @@ -569,6 +569,10 @@ extern void fill_stat_cache_info(struct cache_entry *ce, > struct stat *st); > #define REFRESH_IN_PORCELAIN 0x0020 /* user friendly output, not "needs > update" */ > extern int refresh_index(struct index_state *, unsigned int flags, const > struct pathspec *pathspec, char *seen, const char *header_msg); > > +/* String appended to a filename to derive the lockfile name: */ > +#define LOCK_SUFFIX ".lock" > +#define LOCK_SUFFIX_LEN 5 > + > struct lock_file { > struct lock_file *next; > int fd; > diff --git a/lockfile.c b/lockfile.c > index 964b3fc..bfea333 100644 > --- a/lockfile.c > +++ b/lockfile.c > @@ -176,10 +176,11 @@ static char *resolve_symlink(char *p, size_t s) > static int lock_file(struct lock_file *lk, const char *path, int flags) > { > /* > -* subtract 5 from size to make sure there's room for adding > -* ".lock" for the lock file name > +* subtract LOCK_SUFFIX_LEN from size to make sure there's > +* room for adding ".lock" for the lock file name: > */ > - static const size_t max_path_len = sizeof(lk->filename) - 5; > + static const size_t max_path_len = sizeof(lk->filename) - > + LOCK_SUFFIX_LEN; > > if (!lock_file_list) { > /* One-time initialization */ > @@ -204,7 +205,7 @@ static int lock_file(struct lock_file *lk, const char > *path, int flags) > strcpy(lk->filename, path); > if (!(flags & LOCK_NODEREF)) > resolve_symlink(lk->filename, max_path_len); > - strcat(lk->filename, ".lock"); > + strcat(lk->filename, LOCK_SUFFIX); > lk->fd = open(lk->filename, O_RDWR | O_CREAT | O_EXCL, 0666); > if (0 <= lk->fd) { > lk->owner = getpid(); > @@ -314,7 +315,7 @@ int commit_lock_file(struct lock_file *lk) > if (lk->fd >= 0 && close_lock_file(lk)) > return -1; > strcpy(result_file, lk->filename); > - i = strlen(result_file) - 5; /* .lock */ > + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */ Not a new bug since the previous code is broken too. Should probably checkstrlen(result_file) >= 5 here before subtracting 5. Otherwise, a caller that calls commit_lock_file() with an already committed/closed lock_file can cause writing outside the bounds of the array on the line below. > result_file[i] = 0; > if (rename(lk->filename, result_file)) > return -1; > diff --git a/refs.c b/refs.c > index 5ae8e69..828522d 100644 > --- a/refs.c > +++ b/refs.c > @@ -74,7 +74,8 @@ out: > if (refname[1] == '\0') > return -1; /* Component equals ".". */ > } > - if (cp - refname >= 5 && !memcmp(cp - 5, ".lock", 5)) > + if (cp - refname >= LOCK_SUFFIX_LEN && > + !memcmp(cp - LOCK_SUFFIX_LEN, LOCK_SUFFIX, LOCK_SUFFIX_LEN)) > return -1; /* Refname ends with ".lock". */ > return cp - refname; > } > @@ -2545,11 +2546,11 @@ static int delete_ref_loose(struct ref_lock *lock, > int flag) > { > if (!(flag & REF_ISPACKED) || flag & REF_ISSYMREF) { > /* loose */ > - int err, i = strlen(lock->lk->filename) - 5; /* .lock */ > + int err, i = strlen(lock->lk->filename) - LOCK_SUFFIX_LEN; > > lock->lk->filename[i] = 0; > err = unlink_or_warn(lock->lk->filename); > - lock->lk->filename[i] = '.'; > + lock->lk->filename[i] = LOCK_SUFFIX[0]; > if (err && errno != ENOENT) > return 1; > } > -- > 2.1.0 > > -- > To unsubscribe from this list: send the line "unsubscribe git" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v4 10/32] cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN
There are a few places that use these values, so define constants for them. Signed-off-by: Michael Haggerty --- cache.h| 4 lockfile.c | 11 ++- refs.c | 7 --- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/cache.h b/cache.h index da77094..41d829b 100644 --- a/cache.h +++ b/cache.h @@ -569,6 +569,10 @@ extern void fill_stat_cache_info(struct cache_entry *ce, struct stat *st); #define REFRESH_IN_PORCELAIN 0x0020 /* user friendly output, not "needs update" */ extern int refresh_index(struct index_state *, unsigned int flags, const struct pathspec *pathspec, char *seen, const char *header_msg); +/* String appended to a filename to derive the lockfile name: */ +#define LOCK_SUFFIX ".lock" +#define LOCK_SUFFIX_LEN 5 + struct lock_file { struct lock_file *next; int fd; diff --git a/lockfile.c b/lockfile.c index 964b3fc..bfea333 100644 --- a/lockfile.c +++ b/lockfile.c @@ -176,10 +176,11 @@ static char *resolve_symlink(char *p, size_t s) static int lock_file(struct lock_file *lk, const char *path, int flags) { /* -* subtract 5 from size to make sure there's room for adding -* ".lock" for the lock file name +* subtract LOCK_SUFFIX_LEN from size to make sure there's +* room for adding ".lock" for the lock file name: */ - static const size_t max_path_len = sizeof(lk->filename) - 5; + static const size_t max_path_len = sizeof(lk->filename) - + LOCK_SUFFIX_LEN; if (!lock_file_list) { /* One-time initialization */ @@ -204,7 +205,7 @@ static int lock_file(struct lock_file *lk, const char *path, int flags) strcpy(lk->filename, path); if (!(flags & LOCK_NODEREF)) resolve_symlink(lk->filename, max_path_len); - strcat(lk->filename, ".lock"); + strcat(lk->filename, LOCK_SUFFIX); lk->fd = open(lk->filename, O_RDWR | O_CREAT | O_EXCL, 0666); if (0 <= lk->fd) { lk->owner = getpid(); @@ -314,7 +315,7 @@ int commit_lock_file(struct lock_file *lk) if (lk->fd >= 0 && close_lock_file(lk)) return -1; strcpy(result_file, lk->filename); - i = strlen(result_file) - 5; /* .lock */ + i = strlen(result_file) - LOCK_SUFFIX_LEN; /* .lock */ result_file[i] = 0; if (rename(lk->filename, result_file)) return -1; diff --git a/refs.c b/refs.c index 5ae8e69..828522d 100644 --- a/refs.c +++ b/refs.c @@ -74,7 +74,8 @@ out: if (refname[1] == '\0') return -1; /* Component equals ".". */ } - if (cp - refname >= 5 && !memcmp(cp - 5, ".lock", 5)) + if (cp - refname >= LOCK_SUFFIX_LEN && + !memcmp(cp - LOCK_SUFFIX_LEN, LOCK_SUFFIX, LOCK_SUFFIX_LEN)) return -1; /* Refname ends with ".lock". */ return cp - refname; } @@ -2545,11 +2546,11 @@ static int delete_ref_loose(struct ref_lock *lock, int flag) { if (!(flag & REF_ISPACKED) || flag & REF_ISSYMREF) { /* loose */ - int err, i = strlen(lock->lk->filename) - 5; /* .lock */ + int err, i = strlen(lock->lk->filename) - LOCK_SUFFIX_LEN; lock->lk->filename[i] = 0; err = unlink_or_warn(lock->lk->filename); - lock->lk->filename[i] = '.'; + lock->lk->filename[i] = LOCK_SUFFIX[0]; if (err && errno != ENOENT) return 1; } -- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html