|
|
|
/*
|
|
|
|
* Copyright (c) 2006 Franck Bui-Huu
|
|
|
|
*/
|
|
|
|
#include "cache.h"
|
|
|
|
#include "builtin.h"
|
|
|
|
#include "archive.h"
|
|
|
|
#include "pkt-line.h"
|
|
|
|
#include "sideband.h"
|
|
|
|
#include "run-command.h"
|
upload-archive: use argv_array to store client arguments
The current parsing scheme for upload-archive is to pack
arguments into a fixed-size buffer, separated by NULs, and
put a pointer to each argument in the buffer into a
fixed-size argv array.
This works fine, and the limits are high enough that nobody
reasonable is going to hit them, but it makes the code hard
to follow. Instead, let's just stuff the arguments into an
argv_array, which is much simpler. That lifts the "all
arguments must fit inside 4K together" limit.
We could also trivially lift the MAX_ARGS limitation (in
fact, we have to keep extra code to enforce it). But that
would mean a client could force us to allocate an arbitrary
amount of memory simply by sending us "argument" lines. By
limiting the MAX_ARGS, we limit an attacker to about 4
megabytes (64 times a maximum 64K packet buffer). That may
sound like a lot compared to the 4K limit, but it's not a
big deal compared to what git-archive will actually allocate
while working (e.g., to load blobs into memory). The
important thing is that it is bounded.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
12 years ago
|
|
|
#include "argv-array.h"
|
|
|
|
|
|
|
|
static const char upload_archive_usage[] =
|
|
|
|
"git upload-archive <repo>";
|
|
|
|
|
|
|
|
static const char deadchild[] =
|
|
|
|
"git upload-archive: archiver died with error";
|
|
|
|
|
|
|
|
#define MAX_ARGS (64)
|
|
|
|
|
|
|
|
int cmd_upload_archive_writer(int argc, const char **argv, const char *prefix)
|
|
|
|
{
|
upload-archive: use argv_array to store client arguments
The current parsing scheme for upload-archive is to pack
arguments into a fixed-size buffer, separated by NULs, and
put a pointer to each argument in the buffer into a
fixed-size argv array.
This works fine, and the limits are high enough that nobody
reasonable is going to hit them, but it makes the code hard
to follow. Instead, let's just stuff the arguments into an
argv_array, which is much simpler. That lifts the "all
arguments must fit inside 4K together" limit.
We could also trivially lift the MAX_ARGS limitation (in
fact, we have to keep extra code to enforce it). But that
would mean a client could force us to allocate an arbitrary
amount of memory simply by sending us "argument" lines. By
limiting the MAX_ARGS, we limit an attacker to about 4
megabytes (64 times a maximum 64K packet buffer). That may
sound like a lot compared to the 4K limit, but it's not a
big deal compared to what git-archive will actually allocate
while working (e.g., to load blobs into memory). The
important thing is that it is bounded.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
12 years ago
|
|
|
struct argv_array sent_argv = ARGV_ARRAY_INIT;
|
|
|
|
const char *arg_cmd = "argument ";
|
|
|
|
|
|
|
|
if (argc != 2)
|
|
|
|
usage(upload_archive_usage);
|
|
|
|
|
|
|
|
if (!enter_repo(argv[1], 0))
|
|
|
|
die("'%s' does not appear to be a git repository", argv[1]);
|
|
|
|
|
|
|
|
/* put received options in sent_argv[] */
|
upload-archive: use argv_array to store client arguments
The current parsing scheme for upload-archive is to pack
arguments into a fixed-size buffer, separated by NULs, and
put a pointer to each argument in the buffer into a
fixed-size argv array.
This works fine, and the limits are high enough that nobody
reasonable is going to hit them, but it makes the code hard
to follow. Instead, let's just stuff the arguments into an
argv_array, which is much simpler. That lifts the "all
arguments must fit inside 4K together" limit.
We could also trivially lift the MAX_ARGS limitation (in
fact, we have to keep extra code to enforce it). But that
would mean a client could force us to allocate an arbitrary
amount of memory simply by sending us "argument" lines. By
limiting the MAX_ARGS, we limit an attacker to about 4
megabytes (64 times a maximum 64K packet buffer). That may
sound like a lot compared to the 4K limit, but it's not a
big deal compared to what git-archive will actually allocate
while working (e.g., to load blobs into memory). The
important thing is that it is bounded.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
12 years ago
|
|
|
argv_array_push(&sent_argv, "git-upload-archive");
|
|
|
|
for (;;) {
|
pkt-line: provide a LARGE_PACKET_MAX static buffer
Most of the callers of packet_read_line just read into a
static 1000-byte buffer (callers which handle arbitrary
binary data already use LARGE_PACKET_MAX). This works fine
in practice, because:
1. The only variable-sized data in these lines is a ref
name, and refs tend to be a lot shorter than 1000
characters.
2. When sending ref lines, git-core always limits itself
to 1000 byte packets.
However, the only limit given in the protocol specification
in Documentation/technical/protocol-common.txt is
LARGE_PACKET_MAX; the 1000 byte limit is mentioned only in
pack-protocol.txt, and then only describing what we write,
not as a specific limit for readers.
This patch lets us bump the 1000-byte limit to
LARGE_PACKET_MAX. Even though git-core will never write a
packet where this makes a difference, there are two good
reasons to do this:
1. Other git implementations may have followed
protocol-common.txt and used a larger maximum size. We
don't bump into it in practice because it would involve
very long ref names.
2. We may want to increase the 1000-byte limit one day.
Since packets are transferred before any capabilities,
it's difficult to do this in a backwards-compatible
way. But if we bump the size of buffer the readers can
handle, eventually older versions of git will be
obsolete enough that we can justify bumping the
writers, as well. We don't have plans to do this
anytime soon, but there is no reason not to start the
clock ticking now.
Just bumping all of the reading bufs to LARGE_PACKET_MAX
would waste memory. Instead, since most readers just read
into a temporary buffer anyway, let's provide a single
static buffer that all callers can use. We can further wrap
this detail away by having the packet_read_line wrapper just
use the buffer transparently and return a pointer to the
static storage. That covers most of the cases, and the
remaining ones already read into their own LARGE_PACKET_MAX
buffers.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
12 years ago
|
|
|
char *buf = packet_read_line(0, NULL);
|
|
|
|
if (!buf)
|
|
|
|
break; /* got a flush */
|
upload-archive: use argv_array to store client arguments
The current parsing scheme for upload-archive is to pack
arguments into a fixed-size buffer, separated by NULs, and
put a pointer to each argument in the buffer into a
fixed-size argv array.
This works fine, and the limits are high enough that nobody
reasonable is going to hit them, but it makes the code hard
to follow. Instead, let's just stuff the arguments into an
argv_array, which is much simpler. That lifts the "all
arguments must fit inside 4K together" limit.
We could also trivially lift the MAX_ARGS limitation (in
fact, we have to keep extra code to enforce it). But that
would mean a client could force us to allocate an arbitrary
amount of memory simply by sending us "argument" lines. By
limiting the MAX_ARGS, we limit an attacker to about 4
megabytes (64 times a maximum 64K packet buffer). That may
sound like a lot compared to the 4K limit, but it's not a
big deal compared to what git-archive will actually allocate
while working (e.g., to load blobs into memory). The
important thing is that it is bounded.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
12 years ago
|
|
|
if (sent_argv.argc > MAX_ARGS)
|
|
|
|
die("Too many options (>%d)", MAX_ARGS - 1);
|
|
|
|
|
|
|
|
if (!starts_with(buf, arg_cmd))
|
upload-archive: use argv_array to store client arguments
The current parsing scheme for upload-archive is to pack
arguments into a fixed-size buffer, separated by NULs, and
put a pointer to each argument in the buffer into a
fixed-size argv array.
This works fine, and the limits are high enough that nobody
reasonable is going to hit them, but it makes the code hard
to follow. Instead, let's just stuff the arguments into an
argv_array, which is much simpler. That lifts the "all
arguments must fit inside 4K together" limit.
We could also trivially lift the MAX_ARGS limitation (in
fact, we have to keep extra code to enforce it). But that
would mean a client could force us to allocate an arbitrary
amount of memory simply by sending us "argument" lines. By
limiting the MAX_ARGS, we limit an attacker to about 4
megabytes (64 times a maximum 64K packet buffer). That may
sound like a lot compared to the 4K limit, but it's not a
big deal compared to what git-archive will actually allocate
while working (e.g., to load blobs into memory). The
important thing is that it is bounded.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
12 years ago
|
|
|
die("'argument' token or flush expected");
|
|
|
|
argv_array_push(&sent_argv, buf + strlen(arg_cmd));
|
|
|
|
}
|
|
|
|
|
|
|
|
/* parse all options sent by the client */
|
upload-archive: use argv_array to store client arguments
The current parsing scheme for upload-archive is to pack
arguments into a fixed-size buffer, separated by NULs, and
put a pointer to each argument in the buffer into a
fixed-size argv array.
This works fine, and the limits are high enough that nobody
reasonable is going to hit them, but it makes the code hard
to follow. Instead, let's just stuff the arguments into an
argv_array, which is much simpler. That lifts the "all
arguments must fit inside 4K together" limit.
We could also trivially lift the MAX_ARGS limitation (in
fact, we have to keep extra code to enforce it). But that
would mean a client could force us to allocate an arbitrary
amount of memory simply by sending us "argument" lines. By
limiting the MAX_ARGS, we limit an attacker to about 4
megabytes (64 times a maximum 64K packet buffer). That may
sound like a lot compared to the 4K limit, but it's not a
big deal compared to what git-archive will actually allocate
while working (e.g., to load blobs into memory). The
important thing is that it is bounded.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
12 years ago
|
|
|
return write_archive(sent_argv.argc, sent_argv.argv, prefix, 0, NULL, 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
__attribute__((format (printf, 1, 2)))
|
|
|
|
static void error_clnt(const char *fmt, ...)
|
|
|
|
{
|
|
|
|
char buf[1024];
|
|
|
|
va_list params;
|
|
|
|
int len;
|
|
|
|
|
|
|
|
va_start(params, fmt);
|
|
|
|
len = vsprintf(buf, fmt, params);
|
|
|
|
va_end(params);
|
|
|
|
send_sideband(1, 3, buf, len, LARGE_PACKET_MAX);
|
|
|
|
die("sent error to the client: %s", buf);
|
|
|
|
}
|
|
|
|
|
|
|
|
static ssize_t process_input(int child_fd, int band)
|
|
|
|
{
|
|
|
|
char buf[16384];
|
|
|
|
ssize_t sz = read(child_fd, buf, sizeof(buf));
|
|
|
|
if (sz < 0) {
|
|
|
|
if (errno != EAGAIN && errno != EINTR)
|
|
|
|
error_clnt("read error: %s\n", strerror(errno));
|
|
|
|
return sz;
|
|
|
|
}
|
|
|
|
send_sideband(1, band, buf, sz, LARGE_PACKET_MAX);
|
|
|
|
return sz;
|
|
|
|
}
|
|
|
|
|
|
|
|
int cmd_upload_archive(int argc, const char **argv, const char *prefix)
|
|
|
|
{
|
|
|
|
struct child_process writer = { argv };
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Set up sideband subprocess.
|
|
|
|
*
|
|
|
|
* We (parent) monitor and read from child, sending its fd#1 and fd#2
|
|
|
|
* multiplexed out to our fd#1. If the child dies, we tell the other
|
|
|
|
* end over channel #3.
|
|
|
|
*/
|
|
|
|
argv[0] = "upload-archive--writer";
|
|
|
|
writer.out = writer.err = -1;
|
|
|
|
writer.git_cmd = 1;
|
|
|
|
if (start_command(&writer)) {
|
|
|
|
int err = errno;
|
|
|
|
packet_write(1, "NACK unable to spawn subprocess\n");
|
|
|
|
die("upload-archive: %s", strerror(err));
|
|
|
|
}
|
|
|
|
|
|
|
|
packet_write(1, "ACK\n");
|
|
|
|
packet_flush(1);
|
|
|
|
|
|
|
|
while (1) {
|
|
|
|
struct pollfd pfd[2];
|
|
|
|
|
|
|
|
pfd[0].fd = writer.out;
|
|
|
|
pfd[0].events = POLLIN;
|
|
|
|
pfd[1].fd = writer.err;
|
|
|
|
pfd[1].events = POLLIN;
|
|
|
|
if (poll(pfd, 2, -1) < 0) {
|
|
|
|
if (errno != EINTR) {
|
|
|
|
error("poll failed resuming: %s",
|
|
|
|
strerror(errno));
|
|
|
|
sleep(1);
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (pfd[1].revents & POLLIN)
|
|
|
|
/* Status stream ready */
|
|
|
|
if (process_input(pfd[1].fd, 2))
|
|
|
|
continue;
|
|
|
|
if (pfd[0].revents & POLLIN)
|
|
|
|
/* Data stream ready */
|
|
|
|
if (process_input(pfd[0].fd, 1))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (finish_command(&writer))
|
|
|
|
error_clnt("%s", deadchild);
|
|
|
|
packet_flush(1);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|