Re: [PATCH 4/5] strbuf_readlink(): support link targets that exceed PATH_MAX
From: Johannes Schindelin <hidden>
Date: 2025-12-19 08:50:21
Hi Patrick, On Wed, 17 Dec 2025, Patrick Steinhardt wrote:
On Tue, Dec 16, 2025 at 03:33:48PM +0000, Karsten Blees via GitGitGadget wrote:quoted
diff --git a/strbuf.c b/strbuf.c index 44a8f6a554..fa4e30f112 100644 --- a/strbuf.c +++ b/strbuf.c@@ -566,8 +566,6 @@ ssize_t strbuf_write(struct strbuf *sb, FILE *f) return sb->len ? fwrite(sb->buf, 1, sb->len, f) : 0; } -#define STRBUF_MAXLINK (2*PATH_MAX) - int strbuf_readlink(struct strbuf *sb, const char *path, size_t hint) { size_t oldalloc = sb->alloc;@@ -575,7 +573,7 @@ int strbuf_readlink(struct strbuf *sb, const char *path, size_t hint) if (hint < 32) hint = 32; - while (hint < STRBUF_MAXLINK) { + for (;;) { ssize_t len; strbuf_grow(sb, hint + 1);This makes me wonder whether we have a better way to figure out the actual size of the buffer that we ultimately need to allocate. But reading through readlink(3p) doesn't indicate anything, and I'm not sure whether we can always rely on lstat(3p) to return the correct size for symlink contents on all platforms. One thing that _is_ noted though is that calling the function with a buffer size larger than SSIZE_MAX is implementation-defined. It does make me a bit uneasy in that light to grow indefinitely. Which makes me wonder whether Windows has a limit for the symlink contents that we could enforce in theory so that we can reasonably turn this into a bounded loop again?
https://learn.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation suggests that the maximum permissible target path should be 32,768. But that's not _quite_ correct, as `../t/../Documentation/RelNotes/../../README.md` is a perfectly valid (if awkward) symlink target. Still, I would say that 32,768 would make for a fine (still insanely high, but not so high as to allow malicious symlinks to cause memory problems) limit. Sound good? Johannes