bundle2: error parts can exceed length limits and crash the server

Siddharth Agarwal sid at less-broken.com
Tue Apr 4 02:35:17 UTC 2017


While reimplementing bundle2 for our Rust server, I ran into an 
interesting issue with error parts.

Some relevant background:

1. A bundle2 consists of zero or more "parts".
2. Each part has a header, consisting of
- a part type
- a numeric part id
- part parameters
3. Part parameters are (key, value) pairs, and each key or value has a 
max length of 255 bytes.
4. Each part also carries a payload, which is unbounded in length.

Now for error parts like "error:pushraced" or "error:abort", the error 
message is passed in as a parameter, not as part of the payload (e.g. 
[1]). However, error messages are actually unbounded in length.

This means that a Mercurial server generating a bundle2 will crash if it 
encounters an error over 255 bytes long.

That seems unfortunate and an emergency hotfix waiting to happen.

Does it make sense to do something like:

* Truncate the error to 255 bytes (for BC with older clients)
* Store the full error message in a payload chunk?

- Siddharth

[1] 
https://www.mercurial-scm.org/repo/hg/file/4.1.2/mercurial/wireproto.py#l1049



More information about the Mercurial-devel mailing list