Possible security hole

Timo Sirainen tss at iki.fi
Sun Oct 5 06:38:48 EST 2003

Maybe security related mails should be sent elsewhere? I didn't notice 
any so here it goes:


	s->count = read_int(f);
	s->sums = (struct sum_buf *)malloc(sizeof(s->sums[0])*s->count);
	if (!s->sums) out_of_memory("receive_sums");

	for (i=0; i < (int) s->count;i++) {
		s->sums[i].sum1 = read_int(f);

If I read this right, given high enough s->count makes the malloc() 
parameter wraps around to a few bytes while still reading data past it.

Exploiting is probably pretty difficult if at all possible. There would 
have to be some interesting data after the returned pointer. I didn't 
check if there is. Anyway, exit_cleanup() leads to at least a few 
free() calls which could make it exploitable.

I think there's also some potential problems with 64bit systems. 
There's a few arrays that assume it's size will fit into int. Normally 
you'd get out of memory before getting that high, but in 64bit systems 
with enough memory you won't. Of course this also requires sending 
gigabytes of data, but internet is fast nowadays.

More information about the rsync mailing list