Possible security hole
Timo Sirainen
tss at iki.fi
Sun Oct 5 06:38:48 EST 2003
Maybe security related mails should be sent elsewhere? I didn't notice
any so here it goes:
sender.c:receive_sums()
s->count = read_int(f);
..
s->sums = (struct sum_buf *)malloc(sizeof(s->sums[0])*s->count);
if (!s->sums) out_of_memory("receive_sums");
for (i=0; i < (int) s->count;i++) {
s->sums[i].sum1 = read_int(f);
read_buf(f,s->sums[i].sum2,csum_length);
..
If I read this right, given high enough s->count makes the malloc()
parameter wraps around to a few bytes while still reading data past it.
Exploiting is probably pretty difficult if at all possible. There would
have to be some interesting data after the returned pointer. I didn't
check if there is. Anyway, exit_cleanup() leads to at least a few
free() calls which could make it exploitable.
I think there's also some potential problems with 64bit systems.
There's a few arrays that assume it's size will fit into int. Normally
you'd get out of memory before getting that high, but in 64bit systems
with enough memory you won't. Of course this also requires sending
gigabytes of data, but internet is fast nowadays.
More information about the rsync
mailing list