You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Ken Case <kc...@omnigroup.com> on 2005/11/01 20:17:49 UTC
[PATCH] Fix buffer overflow from expanding long keyword values
We just fixed a buffer overflow which we encountered when expanding
long keyword values: the code in translate_keyword_subst tries to
truncate the keyword values to fit within the fixed-size buffer which
was passed to it, but it doesn't take into account the amount of
space used by the keyword itself.
I'm including a patch, as well as a simple test script which
demonstrates the problem and which can also be used to verify that
the patch fixes the issue. The test script creates a repository in /
tmp/SubversionBufferOverflowTest, creates a long path, commits a new
file which contains a URL keyword, then "svn cat"s that file back
out. Without the patch, the output can be corrupt or the client can
crash. With the patch, the keyword is truncated as that code intended.
(This points out a need for SVN_KEYWORD_MAX_LEN to grow accommodate
the maximum possible length of a Subversion URL--which is much longer
than its current value of 256--but that's a separate issue.)
Regards,
Ken
[[[
Fix buffer overflow encountered when expanding a long keyword value.
* subversion/libsvn_subr/subst.c
(translate_keyword_subst): When calculating the maximum length of
an expanded keyword value, we need to take into account the amount of
space used by the keyword itself or we will overflow our fixed-length
buffer (passed in via our `buf' parameter, declared on the stack in
svn_subst_translate_stream3() as "char keyword_buf
[SVN_KEYWORD_MAX_LEN]").
]]]
Re: [PATCH] Fix buffer overflow from expanding long keyword values
Posted by Philip Martin <ph...@codematters.co.uk>.
Ken Case <kc...@omnigroup.com> writes:
> Fix buffer overflow encountered when expanding a long keyword value.
>
> * subversion/libsvn_subr/subst.c
> (translate_keyword_subst): When calculating the maximum length of
> an expanded keyword value, we need to take into account the amount of
> space used by the keyword itself or we will overflow our fixed-length
> buffer (passed in via our `buf' parameter, declared on the stack in
> svn_subst_translate_stream3() as "char keyword_buf
> [SVN_KEYWORD_MAX_LEN]").
Committed in r17149, thanks!
--
Philip Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] Fix buffer overflow from expanding long keyword values
Posted by John Peacock <jp...@rowman.com>.
Ken Case wrote:
> We just fixed a buffer overflow which we encountered when expanding
> long keyword values: the code in translate_keyword_subst tries to
> truncate the keyword values to fit within the fixed-size buffer which
> was passed to it, but it doesn't take into account the amount of space
> used by the keyword itself.
That's really bad! This probably should be in 1.3, even though I
believe that code was unchanged from before the recent-ish
keywords-as-hash changes.
John
--
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5748
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org