blob: bea325ea05dee12457ec6398894c37522843814e [file] [log] [blame]
Patrick Williamsc124f4f2015-09-15 14:41:29 -05001Upstream-Status: Backport [ The patch is rsync-2.6.9 specific ]
Patrick Williamsd8c66bc2016-06-20 12:57:21 -05002CVE: CVE-2007-4091
Patrick Williamsc124f4f2015-09-15 14:41:29 -05003
4The patch is from https://issues.rpath.com/browse/RPL-1647 and is used to
5address http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4091
6
7Date: Tue May 10 10:07:36 2011 +0800
8Dexuan Cui <dexuan.cui@intel.com>
9
10diff --git a/sender.c b/sender.c
11index 6fcaa65..053a8f1 100644
12--- a/sender.c
13+++ b/sender.c
14@@ -123,6 +123,7 @@ void successful_send(int ndx)
15 char fname[MAXPATHLEN];
16 struct file_struct *file;
17 unsigned int offset;
18+ size_t l = 0;
19
20 if (ndx < 0 || ndx >= the_file_list->count)
21 return;
22@@ -133,6 +134,20 @@ void successful_send(int ndx)
23 file->dir.root, "/", NULL);
24 } else
25 offset = 0;
26+
27+ l = offset + 1;
28+ if (file) {
29+ if (file->dirname)
30+ l += strlen(file->dirname);
31+ if (file->basename)
32+ l += strlen(file->basename);
33+ }
34+
35+ if (l >= sizeof(fname)) {
36+ rprintf(FERROR, "Overlong pathname\n");
37+ exit_cleanup(RERR_FILESELECT);
38+ }
39+
40 f_name(file, fname + offset);
41 if (remove_source_files) {
42 if (do_unlink(fname) == 0) {
43@@ -224,6 +239,7 @@ void send_files(struct file_list *flist, int f_out, int f_in)
44 enum logcode log_code = log_before_transfer ? FLOG : FINFO;
45 int f_xfer = write_batch < 0 ? batch_fd : f_out;
46 int i, j;
47+ size_t l = 0;
48
49 if (verbose > 2)
50 rprintf(FINFO, "send_files starting\n");
51@@ -259,6 +275,20 @@ void send_files(struct file_list *flist, int f_out, int f_in)
52 fname[offset++] = '/';
53 } else
54 offset = 0;
55+
56+ l = offset + 1;
57+ if (file) {
58+ if (file->dirname)
59+ l += strlen(file->dirname);
60+ if (file->basename)
61+ l += strlen(file->basename);
62+ }
63+
64+ if (l >= sizeof(fname)) {
65+ rprintf(FERROR, "Overlong pathname\n");
66+ exit_cleanup(RERR_FILESELECT);
67+ }
68+
69 fname2 = f_name(file, fname + offset);
70
71 if (verbose > 2)