| blob | 1316ea058662a7cface75d45fa309d4a22607b49 |
1 /*
3 peek_packet.c -- peek_packet utility to peek at incoming git-daemon request
4 Copyright (C) 2015,2020 Kyle J. McKay. All rights reserved.
6 This program is free software; you can redistribute it and/or
7 modify it under the terms of the GNU General Public License
8 as published by the Free Software Foundation; either version 2
9 of the License, or (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 */
22 /*
23 This utility is intended to be used by a script front end to git daemon
24 running in inetd mode. The first thing the script does is call this utility
25 which attempts to peek the first incoming Git packet off the connection
26 and then output contents after the initial 4-character hex length upto but
27 excluding the first \0 character.
29 At that point the script can validate the incoming request and if it chooses
30 to allow it then exec git daemon to process it. Since the packet was peeked
31 it's still there to be read by git daemon.
33 Note that there is a hard-coded timeout of 30 seconds and a hard-coded limit
34 of PATH_MAX for the length of the initial packet.
36 On failure a non-zero exit code is returned. On success a 0 exit code is
37 returned and peeked text is output to stdout.
39 The connection to be peeked must be fd 0 and will have SO_KEEPALIVE set on it.
41 This utility does not take any arguments and ignores any that are given.
43 The output of a successful peek should be one of these:
45 git-upload-pack /<...>
46 git-upload-archive /<...>
47 git-receive-pack /<...>
49 where "<...>" is replaced with the repository path so, for example, doing
50 "git ls-remote git://example.com/foo.git" would result in this output:
52 git-upload-pack /foo.git
54 Note that the first character could be a ~ instead of a /, but it's
55 probably best to reject those.
57 The output is guaranteed to not contain any bytes with a value less than
58 %x20 except for possibly tab (%x09) characters. Any request that does
59 will produce no output and return a non-zero exit code.
61 If the extra optional "host=" parameter is present, then an additional
62 second line is output in the format:
64 host=<hostname>
66 where <hostname> is the host name only from the extra "host=" parameter
67 that's been lowercased and had a trailing "." removed (but only if that
68 doesn't create the empty string) and had any surrounding '[' and ']' removed
69 from a literal IPv6 address. The <hostname> is guaranteed to only contain
70 bytes in the range %x21-%xFF.
72 If the extra optional "host=" parameter contains a ":" <portnum> suffix
73 then an additional third line will be output of the format:
75 port=<portnum>
77 If just the ":" was present <portnum> will be the empty string otherwise
78 it's guaranteed to be a decimal number with no leading zeros in the range
79 1..65535.
81 For example, this git command:
83 git ls-remote git://example.com/repo.git
85 Will result in peek_packet producing these two lines (unless a very, very
86 old version of Git was used in which case only the first line):
88 git-upload-pack /repo.git
89 host=example.com
91 This git command:
93 git ls-remote git://[::1]:8765/repo.git
95 Will result in peek_packet producing these three lines (unless a very, very
96 old version of Git was used in which case only the first line):
98 git-upload-pack /repo.git
99 host=::1
100 port=8765
102 If the incoming packet looks invalid (or a timeout occurs) then no output
103 is produced, but a non-zero exit code is set.
105 If the remote address is available (getpeername) then two lines of the form
107 remote_addr=<address>
108 remote_port=<port>
110 will be output where <address> is either a dotted IPv4 or an IPv6
111 (without brackets) and <port> is a decimal number with no leading zeros
112 in the range 1..65535.
114 If the local address is available (getsockname) then two lines of the form
116 server_addr=<address>
117 server_port=<port>
119 will be output where <address> is in the same format as remote_addr and
120 <port> is in the same format as remote_port.
121 */
123 /*
125 ;;
126 ;; The Git packet protocol is defined as follows in RFC 5234+7405 syntax
127 ;;
129 BYTE = %x00-FF
131 DIGIT = "0" / "1" / "2" / "3" / "4" / "5" / "6" / "7" / "8" / "9"
133 ; Note that hexdigits are case insensitive
134 HEX-DIGIT = DIGIT / "a" / "b" / "c" / "d" / "e" / "f"
136 PKT-LENGTH = 4HEX-DIGIT ; represents a hexadecimal big-endian non-negative
137 ; value. a length of "0002" or "0003" is invalid.
138 ; lengths "0000" and "0001" have special meaning.
140 PKT-DATA = *BYTE ; first 4 <BYTE>s MUST NOT be %s"ERR "
142 PKT = FLUSH-PKT / DELIM-PKT / ERR-PKT / PROTOCOL-PKT
144 FLUSH-PKT = "0000"
146 DELIM-PKT = "0001"
148 PROTOCOL-PKT = PKT-LENGTH PKT-DATA ; PKT-DATA must contain exactly
149 ; PKT-LENGTH - 4 bytes
151 ERR-PKT = PKT-LENGTH ERR-DATA; ERR-DATA must contain exactly PKT-LENGTH - 4 bytes
153 ERR-DATA = %s"ERR " *BYTE ; Note that "ERR " *IS* case sensitive
155 ;;
156 ;; The first packet sent by a client connecting to a "Git Transport" server
157 ;; has the <GIT-REQUEST-PKT> format
158 ;;
160 GIT-REQUEST-PKT = PKT-LENGTH GIT-REQUEST-DATA ; GIT-REQUEST-DATA must contain
161 ; exactly PKT-LENGTH - 4 bytes
163 ; Normally if %x0A is present it's the final byte (very old Git versions)
164 ; Normally if %x00 is present then %x0A is not (modern Git versions)
165 ; But the current Git versions do parse the %x0A.00 form correctly
166 GIT-REQUEST-DATA = GIT-COMMAND [EXTRA-ARGS]
168 GIT-COMMAND = REQUEST-COMMAND %20 PATHNAME [%0A]
170 ; these are all case sensitive
171 REQUEST-COMMAND = %s"git-upload-pack" /
172 %s"git-receive-pack" /
173 %s"git-upload-archive"
175 PATHNAME = NON-NULL-BYTES
177 EXTRA-ARGS = %x00 HOST-ARG-TRUNCATED /
178 %x00 [HOST-ARG] [%x00 EXTRA-PARMS]
180 HOST-ARG-TRUNCATED = HOST-PARAM HOST-NAME [ ":" [PORTNUM] ]
182 HOST-ARG = HOST-ARG-TRUNCATED %x00
184 ; "host=" is case insensitive
185 HOST-PARAM = "host="
187 HOST-NAME = NON-NULL-BYTES ; should be a valid DNS name
188 ; or IPv4 literal
189 ; or "[" IPv6 literal "]"
190 ; a ":" is only allowed between
191 ; the "[" and "]" of an IPv6 literal
193 ; PORTNUM matches 1..65535 with no leading zeros allowed
194 PORTNUM = ( "1" / "2" / "3" / "4" / "5" ) *4DIGIT /
195 "6" /
196 "6" ( "0" / "1" / "2" / "3" / "4" ) *3DIGIT /
197 "65" ( "0" / "1" / "2" / "3" / "4" ) *2DIGIT /
198 "655" ( "0" / "1" / "2" ) *1DIGIT /
199 "6553" ( "0" / "1" / "2" / "3" / "4" / "5" ) /
200 "6" ( "6" / "7" / "8" / "9" ) *2DIGIT /
201 ( "7" / "8" / "9" ) *3DIGIT
203 EXTRA-PARAMS = *EXTRA-PARAM [EXTRA-PARAM-TRUNCATED]
205 EXTRA-PARAM-TRUNCATED = NON-NULL-BYTES
207 EXTRA-PARAM = EXTRA-PARAM-TRUNCATED %x00
209 NON-NULL-BYTES = *NON-NULL-BYTE
211 NON-NULL-BYTE = %x01-FF
213 */
215 #define HAVE_STDINT_H 1
216 #define HAVE_IPV6 1
217 #define HAVE_INET_NTOP 1
218 #define HAVE_SNPRINTF 1
219 #ifdef CONFIG_H
220 #include CONFIG_H
221 #endif
223 #include <stddef.h>
224 #ifdef HAVE_STDINT_H
225 #include <stdint.h>
226 #endif
227 #include <stdio.h>
228 #include <string.h>
229 #include <stdlib.h>
230 #include <unistd.h>
231 #include <limits.h>
232 #include <time.h>
233 #include <signal.h>
234 #include <sys/types.h>
235 #include <sys/socket.h>
236 #include <netinet/in.h>
237 #include <arpa/inet.h>
238 #ifdef HAVE_IPV6
239 #include <net/if.h>
240 #endif
241 #ifndef HAVE_STDINT_H
244 #endif
246 #ifdef HAVE_IPV6
247 #define IPTOASIZE (INET6_ADDRSTRLEN+IF_NAMESIZE+INET6_ADDRSTRLEN+IF_NAMESIZE+1)
248 #else
250 #endif
254 /* Note that mod_reqtimeout has a default configuration of 20 seconds
255 * maximum to wait for the first byte of the initial request line and
256 * then no more than 40 seconds total, but after the first byte is
257 * received the rest must arrive at 500 bytes/sec or faster. That
258 * means 10000 bytes minimum in 40 seconds. We do not allow the
259 * initial Git packet to be longer than PATH_MAX (which is typically
260 * either 1024 or 4096). And since 20 + 1024/500 = 22.048 and
261 * 20 + 4096/500 = 28.192 using 30 seconds for a total timeout is
262 * quite reasonable in comparison to mod_reqtimeout's default conf.
263 */
269 #if !defined(PATH_MAX) || PATH_MAX+0 < 4096
270 #define BUFF_MAX 4096
271 #else
272 #define BUFF_MAX PATH_MAX
273 #endif
275 /* avoid requiring C99 library */
277 {
282 }
284 /* avoid requiring C99 library */
285 #ifdef HAVE_IPV6
287 {
294 }
299 /* returns >0 if m1 and m2 are NOT equal comparing first len bytes
300 ** returns 0 if m1 and m2 ARE equal but ignoring case (POSIX locale)
301 ** essentially the same as the non-existent memcasecmp except that only
302 ** a 0 or >0 result is possible and a >0 result only means not-equal */
304 {
311 }
313 }
316 {
324 }
329 /* Ideally we could just use MSG_PEEK + MSG_WAITALL, and that works nicely
330 * on BSD-type distros. Unfortunately very bad things happen on Linux with
331 * that combination -- a CPU core runs at 100% until all the data arrives.
332 * So instead we omit the MSG_WAITALL and poll every POLL_QUANTUM interval
333 * to see if we've satisfied the requested amount yet.
334 */
336 {
342 }
344 }
347 {
350 }
353 {
355 }
365 #ifdef HAVE_IPV6
367 #endif
372 {
380 sockaddr_univ_t sockname;
381 socklen_t socknamelen;
387 /* Ideally calling recv with MSG_PEEK would never, ever hang. However
388 * even with MSG_PEEK, recv still waits for at least the first message
389 * to arrive on the socket (unless it's non-blocking). For this reason
390 * we set an alarm timer at TIMEOUT_SECS + 2 to make sure we don't
391 * remain stuck in the recv call waiting for the first message.
392 */
423 /* skip over 4-byte <PKT-LENGTH> */
427 /* thanks to check above, pktend - ptr always >= 18 */
431 /* validate the entire packet format now */
433 /* find length of <GIT-COMMAND> */
435 /* thanks to the quick sanity check, gitlen always >= 4 */
437 /* skip over <GIT-COMMAND> */
440 /* strip trailing \n from <GIT-COMMAND> */
442 }
446 /* now comes the optional <HOST-ARG> */
449 /* skip over <HOST-PARAM> part */
453 /* failed to parse rest of <HOST-ARG-TRUNCATED> */
455 /* skip over rest of <HOST-ARG>, okay if ptr ends up > pktend */
457 }
463 /* now skip over the rest of the extra args with minimal validation */
466 /* if (zlen) process_arg(ptr, zlen); */
468 }
486 }
494 }
497 }
503 {
508 /* IPv6 literal */
516 }
523 }
528 /* empty port */
538 }
548 }
553 }
557 }
565 }
567 }
569 /* the tab character %x09 is not considered a control here */
571 {
577 }
579 }
582 {
588 }
590 }
593 {
600 }
601 #if defined(HAVE_IPV6) && defined(HAVE_INET_NTOP)
607 #if IF_NAMESIZE < 9
608 #define XIF_NAMESIZE 9
609 #else
610 #define XIF_NAMESIZE IF_NAMESIZE
611 #endif
617 /* This can happen on odd systems */
618 #ifdef HAVE_SNPRINTF
620 #else
621 /* 0xFFFFFFFF only requires 9 digits and XIF_NAMESIZE is >= 9
622 * therefore it's guaranteed to fit and not overflow */
624 #endif
625 }
629 }
630 }
632 }
634 }
637 {
641 }
642 #ifdef HAVE_IPV6
646 }
647 #endif
649 }