Possible security hole

Timo Sirainen tss at iki.fi
Tue Oct 7 07:59:31 EST 2003

On Sun, 2003-10-05 at 02:56, Wayne Davison wrote:
> On Sat, Oct 04, 2003 at 11:38:48PM +0300, Timo Sirainen wrote:
> > 	for (i=0; i < (int) s->count;i++) {
> Yeah, that's pretty bad.  Attached is a patch that should fix this and a
> number of other related problems where the code assumed that size_t
> would fit into an int.

The main problem wasn't int vs. size_t. malloc() call would have
overflowed even if i had been size_t.

Included a patch that fixes all the potential malloc()/realloc()
overflows that I found. I'd feel a bit safer with them included :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: rsync.diff
Type: text/x-patch
Size: 4860 bytes
Desc: not available
Url : http://lists.samba.org/archive/rsync/attachments/20031007/99df2a82/rsync.bin

More information about the rsync mailing list