Possible security hole

jw schultz jw at pegasys.ws
Tue Oct 7 08:39:14 EST 2003

On Tue, Oct 07, 2003 at 12:59:31AM +0300, Timo Sirainen wrote:
> On Sun, 2003-10-05 at 02:56, Wayne Davison wrote:
> > On Sat, Oct 04, 2003 at 11:38:48PM +0300, Timo Sirainen wrote:
> > > 	for (i=0; i < (int) s->count;i++) {
> > 
> > Yeah, that's pretty bad.  Attached is a patch that should fix this and a
> > number of other related problems where the code assumed that size_t
> > would fit into an int.
> The main problem wasn't int vs. size_t. malloc() call would have
> overflowed even if i had been size_t.

Wayne was addressing the type inconsistency which you
had brought up as a second point.

> Included a patch that fixes all the potential malloc()/realloc()
> overflows that I found. I'd feel a bit safer with them included :)

Looks mostly OK.

Some nits:

	Always put whitespace around operators, "INT_MAX -
	4" not "INT_MAX-4".

	INT_MAX is probably incorrect.  UINT_MAX is closer
	but don't count on 32bit ints or that size_t ==
	uint32.  When on a 64bit system size_t won't wrap on
	us so we don't want to impose an arbitrary limit.

	If the patch is an attachment use text/plain not
	some other mime-type.

	J.W. Schultz            Pegasystems Technologies
	email address:		jw at pegasys.ws

		Remember Cernan and Schmitt

More information about the rsync mailing list