[Bug 11338] Rsync Crash - Segmentation fault

samba-bugs at samba.org samba-bugs at samba.org
Wed Feb 27 09:59:28 UTC 2019


--- Comment #4 from Michal Ruprich <mruprich at redhat.com> ---

we have encountered similar segfault a couple of years ago. As you can see here
in comment #2, the p *in shows that the input buffer's size and len are
unreasonably huge - len = 18446744073709532799, size = 18446744073709551615,
which leads to an assumption that there was a buffer overflow here. We were
never able to create a reliable reproducer for this but after some analysis, we
think that the problem is in the rwrite function:

    if (ic != (iconv_t)-1) {
        xbuf outbuf, inbuf;
        char convbuf[1024];
        int ierrno;

        INIT_CONST_XBUF(outbuf, convbuf);
        INIT_XBUF(inbuf, (char*)buf, len, (size_t)-1);

        while (inbuf.len) {
            iconvbufs(ic, &inbuf, &outbuf, inbuf.pos ? 0 : ICB_INIT);
            ierrno = errno;
            if (outbuf.len) {
                filtered_fwrite(f, convbuf, outbuf.len, 0); 
                outbuf.len = 0;
            if (!ierrno || ierrno == E2BIG)
            fprintf(f, "\\#%03o", CVAL(inbuf.buf, inbuf.pos++));
            inbuf.len--;     <============== no check for the buffer length
    } else

The problem is(probably) that the input buffer length is changed in the
iconvbufs function. And the rwrite function is dependent on the iconvbufs
return values. I know that there have been changes in the iconvbufs code over
the years and without a reproducer it is hard to test this but we came up with
a patch to make the rsync code in rwite a little bit more robust. Adding the

You are receiving this mail because:
You are the QA Contact for the bug.

More information about the rsync mailing list