Possible security hole
Timo Sirainen
tss at iki.fi
Tue Oct 7 07:59:31 EST 2003
On Sun, 2003-10-05 at 02:56, Wayne Davison wrote:
> On Sat, Oct 04, 2003 at 11:38:48PM +0300, Timo Sirainen wrote:
> > for (i=0; i < (int) s->count;i++) {
>
> Yeah, that's pretty bad. Attached is a patch that should fix this and a
> number of other related problems where the code assumed that size_t
> would fit into an int.
The main problem wasn't int vs. size_t. malloc() call would have
overflowed even if i had been size_t.
Included a patch that fixes all the potential malloc()/realloc()
overflows that I found. I'd feel a bit safer with them included :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rsync.diff
Type: text/x-patch
Size: 4860 bytes
Desc: not available
Url : http://lists.samba.org/archive/rsync/attachments/20031007/99df2a82/rsync.bin
More information about the rsync
mailing list