diff options
| author | Denton Liu <liu.denton@gmail.com> | 2020-05-19 06:53:58 -0400 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2020-05-24 16:26:00 -0700 |
| commit | 74b082ad34fe2c727c676dac5c33d5e1e5f5ca56 (patch) | |
| tree | 22b53bf2d7dae28186452dfba44f5866d81f3b4e /remote-curl.c | |
| parent | 101736a14c9ad734fe24efed7513189849cd22eb (diff) | |
| download | git-74b082ad34fe2c727c676dac5c33d5e1e5f5ca56.tar.gz | |
remote-curl: error on incomplete packet
Currently, remote-curl acts as a proxy and blindly forwards packets
between an HTTP server and fetch-pack. In the case of a stateless RPC
connection where the connection is terminated with a partially written
packet, remote-curl will blindly send the partially written packet
before waiting on more input from fetch-pack. Meanwhile, fetch-pack will
read the partial packet and continue reading, expecting more input. This
results in a deadlock between the two processes.
For a stateless connection, inspect packets before sending them and
error out if a packet line packet is incomplete.
Helped-by: Jeff King <peff@peff.net>
Signed-off-by: Denton Liu <liu.denton@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'remote-curl.c')
| -rw-r--r-- | remote-curl.c | 59 |
1 files changed, 56 insertions, 3 deletions
diff --git a/remote-curl.c b/remote-curl.c index da3e07184a..e020140092 100644 --- a/remote-curl.c +++ b/remote-curl.c @@ -679,9 +679,53 @@ static curlioerr rpc_ioctl(CURL *handle, int cmd, void *clientp) } #endif +struct check_pktline_state { + char len_buf[4]; + int len_filled; + int remaining; +}; + +static void check_pktline(struct check_pktline_state *state, const char *ptr, size_t size) +{ + while (size) { + if (!state->remaining) { + int digits_remaining = 4 - state->len_filled; + if (digits_remaining > size) + digits_remaining = size; + memcpy(&state->len_buf[state->len_filled], ptr, digits_remaining); + state->len_filled += digits_remaining; + ptr += digits_remaining; + size -= digits_remaining; + + if (state->len_filled == 4) { + state->remaining = packet_length(state->len_buf); + if (state->remaining < 0) { + die(_("remote-curl: bad line length character: %.4s"), state->len_buf); + } else if (state->remaining < 4) { + state->remaining = 0; + } else { + state->remaining -= 4; + } + state->len_filled = 0; + } + } + + if (state->remaining) { + int remaining = state->remaining; + if (remaining > size) + remaining = size; + ptr += remaining; + size -= remaining; + state->remaining -= remaining; + } + } +} + struct rpc_in_data { struct rpc_state *rpc; struct active_request_slot *slot; + int check_pktline; + struct check_pktline_state pktline_state; }; /* @@ -702,6 +746,8 @@ static size_t rpc_in(char *ptr, size_t eltsize, return size; if (size) data->rpc->any_written = 1; + if (data->check_pktline) + check_pktline(&data->pktline_state, ptr, size); write_or_die(data->rpc->in, ptr, size); return size; } @@ -778,7 +824,7 @@ static curl_off_t xcurl_off_t(size_t len) * If flush_received is true, do not attempt to read any more; just use what's * in rpc->buf. */ -static int post_rpc(struct rpc_state *rpc, int flush_received) +static int post_rpc(struct rpc_state *rpc, int stateless_connect, int flush_received) { struct active_request_slot *slot; struct curl_slist *headers = http_copy_default_headers(); @@ -920,6 +966,8 @@ retry: curl_easy_setopt(slot->curl, CURLOPT_WRITEFUNCTION, rpc_in); rpc_in_data.rpc = rpc; rpc_in_data.slot = slot; + rpc_in_data.check_pktline = stateless_connect; + memset(&rpc_in_data.pktline_state, 0, sizeof(rpc_in_data.pktline_state)); curl_easy_setopt(slot->curl, CURLOPT_FILE, &rpc_in_data); curl_easy_setopt(slot->curl, CURLOPT_FAILONERROR, 0); @@ -936,6 +984,11 @@ retry: if (!rpc->any_written) err = -1; + if (rpc_in_data.pktline_state.len_filled) + err = error(_("%d bytes of length header were received"), rpc_in_data.pktline_state.len_filled); + if (rpc_in_data.pktline_state.remaining) + err = error(_("%d bytes of body are still expected"), rpc_in_data.pktline_state.remaining); + curl_slist_free_all(headers); free(gzip_body); return err; @@ -985,7 +1038,7 @@ static int rpc_service(struct rpc_state *rpc, struct discovery *heads, break; rpc->pos = 0; rpc->len = n; - err |= post_rpc(rpc, 0); + err |= post_rpc(rpc, 0, 0); } close(client.in); @@ -1342,7 +1395,7 @@ static int stateless_connect(const char *service_name) BUG("The entire rpc->buf should be larger than LARGE_PACKET_MAX"); if (status == PACKET_READ_EOF) break; - if (post_rpc(&rpc, status == PACKET_READ_FLUSH)) + if (post_rpc(&rpc, 1, status == PACKET_READ_FLUSH)) /* We would have an err here */ break; /* Reset the buffer for next request */ |