[Bug 11338] Rsync Crash - Segmentation fault
samba-bugs at samba.org
samba-bugs at samba.org
Wed Feb 27 09:59:28 UTC 2019
https://bugzilla.samba.org/show_bug.cgi?id=11338
--- Comment #4 from Michal Ruprich <mruprich at redhat.com> ---
Hi,
we have encountered similar segfault a couple of years ago. As you can see here
in comment #2, the p *in shows that the input buffer's size and len are
unreasonably huge - len = 18446744073709532799, size = 18446744073709551615,
which leads to an assumption that there was a buffer overflow here. We were
never able to create a reliable reproducer for this but after some analysis, we
think that the problem is in the rwrite function:
#ifdef ICONV_CONST
if (ic != (iconv_t)-1) {
xbuf outbuf, inbuf;
char convbuf[1024];
int ierrno;
INIT_CONST_XBUF(outbuf, convbuf);
INIT_XBUF(inbuf, (char*)buf, len, (size_t)-1);
while (inbuf.len) {
iconvbufs(ic, &inbuf, &outbuf, inbuf.pos ? 0 : ICB_INIT);
ierrno = errno;
if (outbuf.len) {
filtered_fwrite(f, convbuf, outbuf.len, 0);
outbuf.len = 0;
}
if (!ierrno || ierrno == E2BIG)
continue;
fprintf(f, "\\#%03o", CVAL(inbuf.buf, inbuf.pos++));
inbuf.len--; <============== no check for the buffer length
}
} else
#endif
The problem is(probably) that the input buffer length is changed in the
iconvbufs function. And the rwrite function is dependent on the iconvbufs
return values. I know that there have been changes in the iconvbufs code over
the years and without a reproducer it is hard to test this but we came up with
a patch to make the rsync code in rwite a little bit more robust. Adding the
patch.
--
You are receiving this mail because:
You are the QA Contact for the bug.
More information about the rsync
mailing list