Skip to content

fix(win): remove MAX_PATH dependency #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
supervacuus merged 2 commits into from
Oct 20, 2025
Merged

fix(win): remove MAX_PATH dependency #135

supervacuus merged 2 commits into from
Oct 20, 2025

Conversation

@supervacuus
Copy link
Collaborator

@supervacuus supervacuus commented Oct 17, 2025

This is meant to be merged and released with getsentry/sentry-native#1413.

It removes MAX_PATH dependencies where it makes sense (similar in intent to getsentry/breakpad#43). In particular, MAX_PATH will no longer be used for

  • attachment paths
  • retrieving the module filename via GetModuleFileName()
  • retrieving the pipename via GetFileInformationByHandleEx()

While the latter two are only changes in terms of heap buffer handling, the first item required an adaptation of the IPC protocol. There were two options:

  • adapt the entire IPC protocol to support dynamically sized bytestreams (currently, only fixed-sized messages are supported)
  • add only a special handler for dynamically sized attachment paths on the client and serve

I chose the latter option because it introduces the least amount of change with respect to upstream maintenance.

seer-by-sentry[bot]
seer-by-sentry bot reviewed Oct 17, 2025
View reviewed changes
util/win/exception_handler_server.cc
Comment on lines +432 to +433
auto path_buffer =
base::HeapArray<wchar_t>::Uninit(path_length_bytes / sizeof(wchar_t));
Copy link

@seer-by-sentry seer-by-sentry bot Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential bug: The buffer allocation for path_buffer uses integer division on path_length_bytes without validating its divisibility by sizeof(wchar_t), potentially creating an undersized buffer.

  • Description: In HandleAddAttachmentV2 and HandleRemoveAttachmentV2, the buffer for an attachment path is allocated using path_length_bytes / sizeof(wchar_t). This calculation uses integer division, which truncates the result. If the server receives a path_length_bytes value from a client that is not evenly divisible by sizeof(wchar_t) (2 bytes), the allocated path_buffer will be smaller than path_length_bytes. The subsequent call to LoggingReadFileExactly attempts to read the full path_length_bytes into this undersized buffer, causing a heap buffer overflow. This can lead to memory corruption or a crash of the exception handler server.

  • Suggested fix: Before allocating the buffer in HandleAddAttachmentV2 and HandleRemoveAttachmentV2, add a check to validate that path_length_bytes is evenly divisible by sizeof(wchar_t). If the check fails, log an error and return early to prevent the allocation and subsequent buffer overflow.
    severity: 0.85, confidence: 0.95

Did we get this right? 👍 / 👎 to inform future reviews.

Copy link
Collaborator Author

@supervacuus supervacuus Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While we can be sure that our untampered client will send bytes that are multiples of wchar_t, since it is IPC, we should protect against malicious or corrupted input. I will add further validation of the incoming message.

@supervacuus supervacuus merged commit 1b4a591 into getsentry Oct 20, 2025
17 checks passed
@supervacuus supervacuus deleted the fix/win/eliminate_max_path branch October 20, 2025 12:21
@BrewTestBot BrewTestBot mentioned this pull request Oct 29, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seer-by-sentry seer-by-sentry[bot] seer-by-sentry[bot] left review comments

@jpnurmi jpnurmi jpnurmi approved these changes

@JoshuaMoelans JoshuaMoelans JoshuaMoelans approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@supervacuus @jpnurmi @JoshuaMoelans