[Bug 11383] New: rsync_panic_handler may execute incomplete command
samba-bugs at samba.org
samba-bugs at samba.org
Sat Jul 4 07:57:40 UTC 2015
https://bugzilla.samba.org/show_bug.cgi?id=11383
Bug ID: 11383
Summary: rsync_panic_handler may execute incomplete command
Product: rsync
Version: 3.1.1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: core
Assignee: wayned at samba.org
Reporter: brant at gurganus.name
QA Contact: rsync-qa at samba.org
The rsync_panic_handler currently defined at line 1490 of main.c writes into a
fixed size cmd_buf at line 1492 a non-controlled value returned ultimately in
get_panic_action() using snprintf at line 1495. The combined values destined
for cmd_buf by way of snprintf may be greater than the 300 character buffer.
This is not checked. Consequently, a command may attempt to execute that was
not intended.
To address this specific issue, if the snprintf function returns a value
greater than or equal to the size of cmd_buf, cmd_buf either needs enlarged or
some informative action should occur. It should not take the current path of
executing an incomplete command. The glibc manual suggests calling asprintf
instead of snprintf to dynamically allocate sufficient space for cmd_buf though
dynamic memory allocation is a possible failure point which may not be the best
for this code path for signal handling.
I believe there may be some issues as well in that the result of
get_panic_action is not validated for its usage, and I believe the printf
family of functions can do non-failing information disclosure sorts of
behaviors if there are more format parameters than passed in. There is a
parse_printf_format function in glibc at least that could be used to validate
the format matches the inputs given to it instead of possibly leaking stack
values occurring after the arguments to snprintf.
--
You are receiving this mail because:
You are the QA Contact for the bug.
More information about the rsync
mailing list