streams: don't write more than SSIZE_MAX

ethomson · ethomson · commit f1986a23d8e9 · 2019-01-25T22:47:39.000Z
Our streams implementation takes a `size_t` that indicates the length of
the data buffer to be written, and returns an `ssize_t` that indicates
the length that _was_ written.  Clearly no such implementation can write
more than `SSIZE_MAX` bytes.  Ensure that each TLS stream implementation
does not try to write more than `SSIZE_MAX` bytes (or smaller; if the
given implementation takes a smaller size).
diff --git a/src/streams/mbedtls.c b/src/streams/mbedtls.c
@@ -303,22 +303,22 @@ static int mbedtls_set_proxy(git_stream *stream, const git_proxy_options *proxy_
 	return git_stream_set_proxy(st->io, proxy_options);
 }
 
-ssize_t mbedtls_stream_write(git_stream *stream, const char *data, size_t len, int flags)
+ssize_t mbedtls_stream_write(git_stream *stream, const char *data, size_t data_len, int flags)
 {
-	size_t read = 0;
+	ssize_t written = 0, len = min(data_len, SSIZE_MAX);
 	mbedtls_stream *st = (mbedtls_stream *) stream;
 
 	GIT_UNUSED(flags);
 
 	do {
-		int error = mbedtls_ssl_write(st->ssl, (const unsigned char *)data + read, len - read);
+		int error = mbedtls_ssl_write(st->ssl, (const unsigned char *)data + written, len - written);
 		if (error <= 0) {
 			return ssl_set_error(st->ssl, error);
 		}
-		read += error;
-	} while (read < len);
+		written += error;
+	} while (written < len);
 
-	return read;
+	return written;
 }
 
 ssize_t mbedtls_stream_read(git_stream *stream, void *data, size_t len)
diff --git a/src/streams/openssl.c b/src/streams/openssl.c
@@ -644,10 +644,10 @@ static int openssl_set_proxy(git_stream *stream, const git_proxy_options *proxy_
 	return git_stream_set_proxy(st->io, proxy_opts);
 }
 
-ssize_t openssl_write(git_stream *stream, const char *data, size_t len, int flags)
+ssize_t openssl_write(git_stream *stream, const char *data, size_t data_len, int flags)
 {
 	openssl_stream *st = (openssl_stream *) stream;
-	int ret;
+	int ret, len = min(data_len, INT_MAX);
 
 	GIT_UNUSED(flags);
 
diff --git a/src/streams/socket.c b/src/streams/socket.c
@@ -130,10 +130,9 @@ int socket_connect(git_stream *stream)
 	return 0;
 }
 
-ssize_t socket_write(git_stream *stream, const char *data, size_t len, int flags)
+ssize_t socket_write(git_stream *stream, const char *data, size_t data_len, int flags)
 {
-	ssize_t ret;
-	size_t off = 0;
+	ssize_t ret, off = 0, len = min(data_len, SSIZE_MAX);
 	git_socket_stream *st = (git_socket_stream *) stream;
 
 	while (off < len) {
diff --git a/src/streams/stransport.c b/src/streams/stransport.c
@@ -164,11 +164,12 @@ static ssize_t stransport_write(git_stream *stream, const char *data, size_t len
 
 	GIT_UNUSED(flags);
 
-	data_len = len;
+	data_len = min(len, SSIZE_MAX);
 	if ((ret = SSLWrite(st->ctx, data, data_len, &processed)) != noErr)
 		return stransport_error(ret);
 
-	return processed;
+	assert(processed < SSIZE_MAX);
+	return (ssize_t)processed;
 }
 
 /*

Original file line number	Diff line number	Diff line change
`@@ -303,22 +303,22 @@ static int mbedtls_set_proxy(git_stream stream, const git_proxy_options proxy_`
`303`	`303`	`return git_stream_set_proxy(st->io, proxy_options);`
`304`	`304`	`}`
`305`	`305`
`306`		`-ssize_t mbedtls_stream_write(git_stream stream, const char data, size_t len, int flags)`
	`306`	`+ssize_t mbedtls_stream_write(git_stream stream, const char data, size_t data_len, int flags)`
`307`	`307`	`{`
`308`		`- size_t read = 0;`
	`308`	`+ ssize_t written = 0, len = min(data_len, SSIZE_MAX);`
`309`	`309`	`mbedtls_stream st = (mbedtls_stream ) stream;`
`310`	`310`
`311`	`311`	`GIT_UNUSED(flags);`
`312`	`312`
`313`	`313`	`do {`
`314`		`- int error = mbedtls_ssl_write(st->ssl, (const unsigned char *)data + read, len - read);`
	`314`	`+ int error = mbedtls_ssl_write(st->ssl, (const unsigned char *)data + written, len - written);`
`315`	`315`	`if (error <= 0) {`
`316`	`316`	`return ssl_set_error(st->ssl, error);`
`317`	`317`	`}`
`318`		`- read += error;`
`319`		`- } while (read < len);`
	`318`	`+ written += error;`
	`319`	`+ } while (written < len);`
`320`	`320`
`321`		`- return read;`
	`321`	`+ return written;`
`322`	`322`	`}`
`323`	`323`
`324`	`324`	`ssize_t mbedtls_stream_read(git_stream stream, void data, size_t len)`
Original file line number	Diff line number	Diff line change
`@@ -644,10 +644,10 @@ static int openssl_set_proxy(git_stream stream, const git_proxy_options proxy_`
`644`	`644`	`return git_stream_set_proxy(st->io, proxy_opts);`
`645`	`645`	`}`
`646`	`646`
`647`		`-ssize_t openssl_write(git_stream stream, const char data, size_t len, int flags)`
	`647`	`+ssize_t openssl_write(git_stream stream, const char data, size_t data_len, int flags)`
`648`	`648`	`{`
`649`	`649`	`openssl_stream st = (openssl_stream ) stream;`
`650`		`- int ret;`
	`650`	`+ int ret, len = min(data_len, INT_MAX);`
`651`	`651`
`652`	`652`	`GIT_UNUSED(flags);`
`653`	`653`
Original file line number	Diff line number	Diff line change
`@@ -130,10 +130,9 @@ int socket_connect(git_stream *stream)`
`130`	`130`	`return 0;`
`131`	`131`	`}`
`132`	`132`
`133`		`-ssize_t socket_write(git_stream stream, const char data, size_t len, int flags)`
	`133`	`+ssize_t socket_write(git_stream stream, const char data, size_t data_len, int flags)`
`134`	`134`	`{`
`135`		`- ssize_t ret;`
`136`		`- size_t off = 0;`
	`135`	`+ ssize_t ret, off = 0, len = min(data_len, SSIZE_MAX);`
`137`	`136`	`git_socket_stream st = (git_socket_stream ) stream;`
`138`	`137`
`139`	`138`	`while (off < len) {`