[Bug 8654] New: link-by-hash: Fix (non-exploitable) buffer overflow
samba-bugs at samba.org
samba-bugs at samba.org
Sun Dec 11 19:50:30 MST 2011
https://bugzilla.samba.org/show_bug.cgi?id=8654
Summary: link-by-hash: Fix (non-exploitable) buffer overflow
Product: rsync
Version: 3.1.0
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P5
Component: core
AssignedTo: wayned at samba.org
ReportedBy: chris at onthe.net.au
QAContact: rsync-qa at samba.org
Created attachment 7167
--> https://bugzilla.samba.org/attachment.cgi?id=7167
link-by-hash: Fix (non-exploitable) buffer overflow
The link-by-hash.diff patch contains a buffer overflow: the size of the 'hash'
buffer on the stack allows for one extra character beyond the size needed for
the text version of the hash but it needs two: one for the '/' directory
separator and another for the trailing null.
This was caught by noticing a compile warning:
gcc -std=gnu99 -I. -I../rsync -g -O2 -DHAVE_CONFIG_H -Wall -W -c
../rsync/hashlink.c -o hashlink.o
../rsync/hashlink.c: In function ‘make_hash_name’:
../rsync/hashlink.c:46: warning: array subscript is above array bounds
The overflow is non-exploitable as it harmlessly overwrites the following dst
variable with a null just before using asprintf() to set the dst variable
again.
But it should be fixed - see attached patch, against
"packaging/branch-from-patch ../rsync-patches/link-by-hash.diff"
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
More information about the rsync
mailing list