summaryrefslogtreecommitdiff
path: root/daemon.c
diff options
context:
space:
mode:
authorJeff King <peff@peff.net>2018-01-24 19:56:07 -0500
committerJunio C Hamano <gitster@pobox.com>2018-01-25 13:50:17 -0800
commit19136be3f874ac265195ef35a8c5ed6c417eaea2 (patch)
tree886c23399e0c8f806aa1e21cbb80b1045e6e0f79 /daemon.c
parent314a73d6585bf9caecac3243f7de2d7330e1ff9f (diff)
downloadgit-19136be3f874ac265195ef35a8c5ed6c417eaea2.tar.gz
daemon: fix off-by-one in logging extended attributes
If receive a request like: git-upload-pack /foo.git\0host=localhost we mark the offset of the NUL byte as "len", and then log the bytes after the NUL with a "%.*s" placeholder, using "pktlen - len" as the length, and "line + len + 1" as the start of the string. This is off-by-one, since the start of the string skips past the separating NUL byte, but the adjusted length includes it. Fortunately this doesn't actually read past the end of the buffer, since "%.*s" will stop when it hits a NUL. And regardless of what is in the buffer, packet_read() will always add an extra NUL terminator for safety. As an aside, the git.git client sends an extra NUL after a "host" field, too, so we'd generally hit that one first, not the one added by packet_read(). You can see this in the test output which reports 15 bytes, even though the string has only 14 bytes of visible data. But the point is that even a client sending unusual data could not get us to read past the end of the buffer, so this is purely a cosmetic fix. Reported-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'daemon.c')
-rw-r--r--daemon.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/daemon.c b/daemon.c
index e37e343d0a..d78afc8e96 100644
--- a/daemon.c
+++ b/daemon.c
@@ -759,8 +759,8 @@ static int execute(void)
len = strlen(line);
if (pktlen != len)
loginfo("Extended attributes (%d bytes) exist <%.*s>",
- (int) pktlen - len,
- (int) pktlen - len, line + len + 1);
+ (int) pktlen - len - 1,
+ (int) pktlen - len - 1, line + len + 1);
if (len && line[len-1] == '\n') {
line[--len] = 0;
pktlen--;