Skip to content

path: bound directory-walk recursion depth to prevent stack overflow#45

Open
acts-1631 wants to merge 1 commit into
upa:mainfrom
acts-1631:fix/unbounded-recursion-dos
Open

path: bound directory-walk recursion depth to prevent stack overflow#45
acts-1631 wants to merge 1 commit into
upa:mainfrom
acts-1631:fix/unbounded-recursion-dos

Conversation

@acts-1631

Copy link
Copy Markdown

walk_path_recursive() recurses once per directory level with no depth limit. A remote SFTP server (malicious or just compromised) can hand back an arbitrarily deep directory tree, and the client will keep recursing until the thread stack runs out and the process crashes.

I reproduced this locally: a 400-level-deep directory tree segfaults the current code. This patch adds a depth counter and bails out with an error past 256 levels, which is far deeper than any real directory layout needs and keeps stack usage to a couple MB.

walk_path_recursive() recursed once per directory level with no
depth limit. A remote SFTP server (malicious or compromised) can
present an arbitrarily deep directory hierarchy, causing the client
to recurse until the thread stack is exhausted and the process
crashes (SIGSEGV), aborting the transfer.

Reproduced locally: a 400-level-deep local directory tree crashes
the unpatched walk_src_path() with a segmentation fault (stack
overflow). With this patch, the same tree is rejected cleanly with
a 'directory nesting too deep' error and no crash.

Add a depth counter threaded through walk_path_recursive(), bailing
out at 256 levels -- deep enough for any realistic directory
layout while keeping stack usage to roughly 1-2MB, well within the
default 8MB thread stack.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant