DO NOT REPLY [Bug 7869] rsync segfault
samba-bugs at samba.org
samba-bugs at samba.org
Wed Dec 15 14:14:08 MST 2010
https://bugzilla.samba.org/show_bug.cgi?id=7869
------- Comment #5 from paul at debian.org 2010-12-15 15:14 CST -------
(In reply to comment #3)
> I see what is happening. options.c:1496:
>
> backup_dir_remainder = sizeof backup_dir_buf - backup_dir_len;
> if (backup_dir_remainder < 32) {
> snprintf(err_buf, sizeof err_buf,
> "the --backup-dir path is WAY too long.\n");
> return 0;
> }
>
> But backup_dir_remainder is unsigned, so the subtraction overflows and the
> error message does not trip.
I would have expected strlcpy() to limit the return value to the bufsize passed
as last argument, but at least the lib/compat.c version doesn't, and
contradicts the comments there in doing so ("@return index of the terminating
byte"). If it had done that, it would have limited the result of the
subtraction to >= 0.
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the rsync
mailing list