svn_checksum__from_digest() core dump on invalid input

From: Blair Zajac <blair_at_orcaware.com>
Date: Sat, 14 Apr 2012 12:13:33 -0700

In tracking down spurious coredumps we have in our custom RPC server, I found
one in svn_checksum__from_digest() due to bad input:

svn_checksum_t *
svn_checksum__from_digest(const unsigned char *digest,
                           svn_checksum_kind_t kind,
                           apr_pool_t *result_pool)
{
   svn_checksum_t *checksum = svn_checksum_create(kind, result_pool);

memcpy((unsigned char *)checksum->digest, digest, DIGESTSIZE(kind));
return checksum;
}

If kind is invalid, then svn_checksum_create() returns NULL, which then
coredumps in memcpy().

Normally, I would change svn_checksum__from_digest() to

svn_error_t *
svn_checksum__from_digest(svn_checksum_t **checksum,
                           const unsigned char *digest,
                           svn_checksum_kind_t kind,
                           apr_pool_t *result_pool);

but I'm wondering how the checksum code needs to handle newer checksums in older
Subversion servers? Say 1.9 adds sha224 and then we read the repos in 1.7, how
should svn handle this? Should it throw a SVN_ERR_BAD_CHECKSUM_KIND or silently
map an unknown checksum to NULL? Do we want to conditionally support checksums
depending upon repository version?

Frankly, I'm happy I got a core dump in our code since it prevented bad data
from being used. My feeling is that the bad data is coming from a cache entry
that is released but something has a pointer to it still.

Blair
Received on 2012-04-14 21:14:08 CEST

This message: [ Message body ]
Next message: Johan Corveleyn: "Re: Subversion 1.6.18 released"
Previous message: Hyrum K Wright: "Ev2 and Authz"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]