v0 protocol: use size_t for capability length/offset

When parsing server capabilities, we use "int" to store lengths and
offsets. At first glance this seems like a spot where our parser may be
confused by integer overflow if somebody sent us a malicious response.

In practice these strings are all bounded by the 64k limit of a
pkt-line, so using "int" is OK. However, it makes the code simpler to
audit if they just use size_t everywhere. Note that because we take
these parameters as pointers, this also forces many callers to update
their declared types.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index 9109552533d838755a0db62b8de9bd8a671cad12..3b495ecc8429d5f8c91495256cea905e8b3744e4 100644 (file)
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -2093,7 +2093,7 @@ static struct command *read_head_info(struct packet_reader *reader,
                        const char *feature_list = reader->line + linelen + 1;
                        const char *hash = NULL;
                        const char *client_sid;
-                       int len = 0;
+                       size_t len = 0;
                        if (parse_feature_request(feature_list, "report-status"))
                                report_status = 1;
                        if (parse_feature_request(feature_list, "report-status-v2"))

diff --git a/connect.c b/connect.c
index b7ba5f5727d764ffe81e339a06c5405dfb86d54d..c54adc652f7df33092046b449287cbd27c7b5e22 100644 (file)
--- a/connect.c
+++ b/connect.c
@@ -22,7 +22,7 @@
 
 static char *server_capabilities_v1;
 static struct strvec server_capabilities_v2 = STRVEC_INIT;
-static const char *next_server_feature_value(const char *feature, int *len, int *offset);
+static const char *next_server_feature_value(const char *feature, size_t *len, size_t *offset);
 
 static int check_ref(const char *name, unsigned int flags)
 {
@@ -205,10 +205,10 @@ reject:
 static void annotate_refs_with_symref_info(struct ref *ref)
 {
        struct string_list symref = STRING_LIST_INIT_DUP;
-       int offset = 0;
+       size_t offset = 0;
 
        while (1) {
-               int len;
+               size_t len;
                const char *val;
 
                val = next_server_feature_value("symref", &len, &offset);
@@ -231,7 +231,7 @@ static void annotate_refs_with_symref_info(struct ref *ref)
 static void process_capabilities(struct packet_reader *reader, int *linelen)
 {
        const char *feat_val;
-       int feat_len;
+       size_t feat_len;
        const char *line = reader->line;
        int nul_location = strlen(line);
        if (nul_location == *linelen)
@@ -596,10 +596,10 @@ struct ref **get_remote_refs(int fd_out, struct packet_reader *reader,
        return list;
 }
 
-const char *parse_feature_value(const char *feature_list, const char *feature, int *lenp, int *offset)
+const char *parse_feature_value(const char *feature_list, const char *feature, size_t *lenp, size_t *offset)
 {
        const char *orig_start = feature_list;
-       int len;
+       size_t len;
 
        if (!feature_list)
                return NULL;
@@ -623,7 +623,7 @@ const char *parse_feature_value(const char *feature_list, const char *feature, i
                        }
                        /* feature with a value (e.g., "agent=git/1.2.3") */
                        else if (*value == '=') {
-                               int end;
+                               size_t end;
 
                                value++;
                                end = strcspn(value, " \t\n");
@@ -645,8 +645,8 @@ const char *parse_feature_value(const char *feature_list, const char *feature, i
 
 int server_supports_hash(const char *desired, int *feature_supported)
 {
-       int offset = 0;
-       int len;
+       size_t offset = 0;
+       size_t len;
        const char *hash;
 
        hash = next_server_feature_value("object-format", &len, &offset);
@@ -670,12 +670,12 @@ int parse_feature_request(const char *feature_list, const char *feature)
        return !!parse_feature_value(feature_list, feature, NULL, NULL);
 }
 
-static const char *next_server_feature_value(const char *feature, int *len, int *offset)
+static const char *next_server_feature_value(const char *feature, size_t *len, size_t *offset)
 {
        return parse_feature_value(server_capabilities_v1, feature, len, offset);
 }
 
-const char *server_feature_value(const char *feature, int *len)
+const char *server_feature_value(const char *feature, size_t *len)
 {
        return parse_feature_value(server_capabilities_v1, feature, len, NULL);
 }

diff --git a/connect.h b/connect.h
index f41a0b4c1fb766523d6bee7964989063a6ceeaa2..1645126c17f889659d84174210a43939ef67507f 100644 (file)
--- a/connect.h
+++ b/connect.h
@@ -12,14 +12,14 @@ int finish_connect(struct child_process *conn);
 int git_connection_is_socket(struct child_process *conn);
 int server_supports(const char *feature);
 int parse_feature_request(const char *features, const char *feature);
-const char *server_feature_value(const char *feature, int *len_ret);
+const char *server_feature_value(const char *feature, size_t *len_ret);
 int url_is_local_not_ssh(const char *url);
 
 struct packet_reader;
 enum protocol_version discover_version(struct packet_reader *reader);
 
 int server_supports_hash(const char *desired, int *feature_supported);
-const char *parse_feature_value(const char *feature_list, const char *feature, int *lenp, int *offset);
+const char *parse_feature_value(const char *feature_list, const char *feature, size_t *lenp, size_t *offset);
 int server_supports_v2(const char *c);
 void ensure_server_supports_v2(const char *c);
 int server_feature_v2(const char *c, const char **v);

diff --git a/fetch-pack.c b/fetch-pack.c
index 368f2ed25a1c40f6ab55f0b1098a8722ce930c18..97a44ed5829bc0b2e8c6b233ed915027ea4193ab 100644 (file)
--- a/fetch-pack.c
+++ b/fetch-pack.c
@@ -1099,7 +1099,7 @@ static struct ref *do_fetch_pack(struct fetch_pack_args *args,
        struct ref *ref = copy_ref_list(orig_ref);
        struct object_id oid;
        const char *agent_feature;
-       int agent_len;
+       size_t agent_len;
        struct fetch_negotiator negotiator_alloc;
        struct fetch_negotiator *negotiator;
 
@@ -1117,7 +1117,7 @@ static struct ref *do_fetch_pack(struct fetch_pack_args *args,
                agent_supported = 1;
                if (agent_len)
                        print_verbose(args, _("Server version is %.*s"),
-                                     agent_len, agent_feature);
+                                     (int)agent_len, agent_feature);
        }
 
        if (!server_supports("session-id"))

diff --git a/send-pack.c b/send-pack.c
index f81bbb28d79259f25db58548ca3d51fb8b2f6a2d..97344b629eef01299ceae03561d94d167789038f 100644 (file)
--- a/send-pack.c
+++ b/send-pack.c
@@ -538,7 +538,7 @@ int send_pack(struct send_pack_args *args,
                die(_("the receiving end does not support this repository's hash algorithm"));
 
        if (args->push_cert != SEND_PACK_PUSH_CERT_NEVER) {
-               int len;
+               size_t len;
                push_cert_nonce = server_feature_value("push-cert", &len);
                if (push_cert_nonce) {
                        reject_invalid_nonce(push_cert_nonce, len);

diff --git a/transport.c b/transport.c
index 89a220425ecf0e5a2684f76038827f7e8f0241d1..6223dc3de263047928b973a5322b73f05744f055 100644 (file)
--- a/transport.c
+++ b/transport.c
@@ -317,7 +317,7 @@ static struct ref *handshake(struct transport *transport, int for_push,
        struct git_transport_data *data = transport->data;
        struct ref *refs = NULL;
        struct packet_reader reader;
-       int sid_len;
+       size_t sid_len;
        const char *server_sid;
 
        connect_setup(transport, for_push);

diff --git a/upload-pack.c b/upload-pack.c
index e23f16dfdd220036f3b5bb93d24d8c1b4e7f4b96..565e46058fe1299721eddafe2618be95774c5fbd 100644 (file)
--- a/upload-pack.c
+++ b/upload-pack.c
@@ -1067,7 +1067,7 @@ static void receive_needs(struct upload_pack_data *data,
                const char *features;
                struct object_id oid_buf;
                const char *arg;
-               int feature_len;
+               size_t feature_len;
 
                reset_timeout(data->timeout);
                if (packet_reader_read(reader) != PACKET_READ_NORMAL)