From: Johannes Schindelin <Johannes.Schindelin@gmx•de>
To: Patrick Steinhardt <ps@pks•im>
Cc: Karsten Blees via GitGitGadget <gitgitgadget@gmail•com>,
git@vger•kernel.org, Karsten Blees <karsten.blees@gmail•com>
Subject: Re: [PATCH 4/5] strbuf_readlink(): support link targets that exceed PATH_MAX
Date: Fri, 19 Dec 2025 09:50:15 +0100 (CET) [thread overview]
Message-ID: <5778a03b-2e33-9224-e051-664c2d530fc3@gmx.de> (raw)
In-Reply-To: <aULB3wCFGsbZbuSw@pks.im>
Hi Patrick,
On Wed, 17 Dec 2025, Patrick Steinhardt wrote:
> On Tue, Dec 16, 2025 at 03:33:48PM +0000, Karsten Blees via GitGitGadget wrote:
> > diff --git a/strbuf.c b/strbuf.c
> > index 44a8f6a554..fa4e30f112 100644
> > --- a/strbuf.c
> > +++ b/strbuf.c
> > @@ -566,8 +566,6 @@ ssize_t strbuf_write(struct strbuf *sb, FILE *f)
> > return sb->len ? fwrite(sb->buf, 1, sb->len, f) : 0;
> > }
> >
> > -#define STRBUF_MAXLINK (2*PATH_MAX)
> > -
> > int strbuf_readlink(struct strbuf *sb, const char *path, size_t hint)
> > {
> > size_t oldalloc = sb->alloc;
> > @@ -575,7 +573,7 @@ int strbuf_readlink(struct strbuf *sb, const char *path, size_t hint)
> > if (hint < 32)
> > hint = 32;
> >
> > - while (hint < STRBUF_MAXLINK) {
> > + for (;;) {
> > ssize_t len;
> >
> > strbuf_grow(sb, hint + 1);
>
> This makes me wonder whether we have a better way to figure out the
> actual size of the buffer that we ultimately need to allocate. But
> reading through readlink(3p) doesn't indicate anything, and I'm not sure
> whether we can always rely on lstat(3p) to return the correct size for
> symlink contents on all platforms.
>
> One thing that _is_ noted though is that calling the function with a
> buffer size larger than SSIZE_MAX is implementation-defined. It does
> make me a bit uneasy in that light to grow indefinitely.
>
> Which makes me wonder whether Windows has a limit for the symlink
> contents that we could enforce in theory so that we can reasonably turn
> this into a bounded loop again?
https://learn.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation
suggests that the maximum permissible target path should be 32,768. But
that's not _quite_ correct, as
`../t/../Documentation/RelNotes/../../README.md` is a perfectly valid (if
awkward) symlink target.
Still, I would say that 32,768 would make for a fine (still insanely high,
but not so high as to allow malicious symlinks to cause memory problems)
limit.
Sound good?
Johannes
next prev parent reply other threads:[~2025-12-19 8:50 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-16 15:33 [PATCH 0/5] Last preparations before upstreaming Git for Windows' symlink support Johannes Schindelin via GitGitGadget
2025-12-16 15:33 ` [PATCH 1/5] mingw: do resolve symlinks in `getcwd()` Johannes Schindelin via GitGitGadget
2025-12-17 14:44 ` Patrick Steinhardt
2025-12-16 15:33 ` [PATCH 2/5] init: do parse _all_ core.* settings early Johannes Schindelin via GitGitGadget
2025-12-17 14:44 ` Patrick Steinhardt
2025-12-16 15:33 ` [PATCH 3/5] strbuf_readlink(): avoid calling `readlink()` twice in corner-cases Karsten Blees via GitGitGadget
2025-12-16 15:33 ` [PATCH 4/5] strbuf_readlink(): support link targets that exceed PATH_MAX Karsten Blees via GitGitGadget
2025-12-17 14:44 ` Patrick Steinhardt
2025-12-19 8:50 ` Johannes Schindelin [this message]
2025-12-19 11:51 ` Patrick Steinhardt
2025-12-30 5:00 ` Junio C Hamano
2025-12-17 23:39 ` Junio C Hamano
2025-12-16 15:33 ` [PATCH 5/5] trim_last_path_component(): avoid hard-coding the directory separator Karsten Blees via GitGitGadget
2026-01-09 20:05 ` [PATCH v2 0/5] Last preparations before upstreaming Git for Windows' symlink support Johannes Schindelin via GitGitGadget
2026-01-09 20:05 ` [PATCH v2 1/5] mingw: do resolve symlinks in `getcwd()` Johannes Schindelin via GitGitGadget
2026-01-09 20:05 ` [PATCH v2 2/5] init: do parse _all_ core.* settings early Johannes Schindelin via GitGitGadget
2026-01-09 20:05 ` [PATCH v2 3/5] strbuf_readlink(): avoid calling `readlink()` twice in corner-cases Karsten Blees via GitGitGadget
2026-01-09 20:05 ` [PATCH v2 4/5] strbuf_readlink(): support link targets that exceed 2*PATH_MAX Johannes Schindelin via GitGitGadget
2026-01-09 20:05 ` [PATCH v2 5/5] trim_last_path_component(): avoid hard-coding the directory separator Karsten Blees via GitGitGadget
2026-01-11 4:04 ` [PATCH v2 0/5] Last preparations before upstreaming Git for Windows' symlink support Junio C Hamano
2026-01-12 8:35 ` Patrick Steinhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5778a03b-2e33-9224-e051-664c2d530fc3@gmx.de \
--to=johannes.schindelin@gmx$(echo .)de \
--cc=git@vger$(echo .)kernel.org \
--cc=gitgitgadget@gmail$(echo .)com \
--cc=karsten.blees@gmail$(echo .)com \
--cc=ps@pks$(echo .)im \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox