[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Subversion Command-Line Client crashes with long lists of options

From: Max Bowsher <maxb_at_ukf.net>
Date: 2005-07-04 14:09:16 CEST

David James wrote:
>> Right now, if you pass in a really long list of valid arguments into
>> the command-line client, you can overflow its buffer of command-line
>> options and execute arbitrary code. The impact of this bug is
>> mitigated by the fact that users who have access to the command-line
>> client can usually already execute arbitrary code.
>> To see this bug in action, type the following command:
>> yes --old | head -n 300 | xargs svn
>> Before the patch:
>> james@syntax% yes --old | head -n 300 | xargs svn
>> xargs: svn: terminated by signal 11
>> After the patch:
>> james@syntax% yes --old | head -n 300 | xargs
>> subversion/clients/cmdline/svn svn: Too many options
>> clients/cmdline/main.c
>> (main): Prevent buffer overflow when list of command-line options is very
>> long

Thanks for the report.

Branko Čibej wrote:
> Actually, the use of a statically-sized array to hold options is wrong
> in the first place. I'd prefer a fix that changes the type of
> received_opts.

Yes, an apr array should handle this just fine.
Fixed in r15251, and proposed for backport.


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jul 4 14:12:26 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.