[Bug 8654] New: link-by-hash: Fix (non-exploitable) buffer overflow

samba-bugs at samba.org samba-bugs at samba.org
Sun Dec 11 19:50:30 MST 2011


           Summary: link-by-hash: Fix (non-exploitable) buffer overflow
           Product: rsync
           Version: 3.1.0
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: core
        AssignedTo: wayned at samba.org
        ReportedBy: chris at onthe.net.au
         QAContact: rsync-qa at samba.org

Created attachment 7167
  --> https://bugzilla.samba.org/attachment.cgi?id=7167
link-by-hash: Fix (non-exploitable) buffer overflow

The link-by-hash.diff patch contains a buffer overflow: the size of the 'hash'
buffer on the stack allows for one extra character beyond the size needed for
the text version of the hash but it needs two: one for the '/' directory
separator and another for the trailing null.

This was caught by noticing a compile warning:

gcc -std=gnu99 -I. -I../rsync -g -O2 -DHAVE_CONFIG_H -Wall -W  -c
../rsync/hashlink.c -o hashlink.o
../rsync/hashlink.c: In function ‘make_hash_name’:
../rsync/hashlink.c:46: warning: array subscript is above array bounds

The overflow is non-exploitable as it harmlessly overwrites the following dst
variable with a null just before using asprintf() to set the dst variable

But it should be fixed - see attached patch, against
"packaging/branch-from-patch ../rsync-patches/link-by-hash.diff"

Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the rsync mailing list