DO NOT REPLY [Bug 7869] rsync segfault

samba-bugs at samba-bugs at
Wed Dec 15 14:14:08 MST 2010

------- Comment #5 from paul at  2010-12-15 15:14 CST -------
(In reply to comment #3)
> I see what is happening.  options.c:1496:
> backup_dir_remainder = sizeof backup_dir_buf - backup_dir_len;
> if (backup_dir_remainder < 32) {
>         snprintf(err_buf, sizeof err_buf,
>                 "the --backup-dir path is WAY too long.\n");
>         return 0;
> }
> But backup_dir_remainder is unsigned, so the subtraction overflows and the
> error message does not trip.

I would have expected strlcpy() to limit the return value to the bufsize passed
as last argument, but at least the lib/compat.c version doesn't, and
contradicts the comments there in doing so ("@return index of the terminating
byte"). If it had done that, it would have limited the result of the
subtraction to >= 0.

Configure bugmail:
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the rsync mailing list