blob: f054452f37f2da09d2ff327ec99f1e1daf48c00c [file] [log] [blame]
Patrick Williamsc124f4f2015-09-15 14:41:29 -05001Upstream-Status: Backport [ The patch is rsync-2.6.9 specific ]
2
3The patch is from https://issues.rpath.com/browse/RPL-1647 and is used to
4address http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4091
5
6Date: Tue May 10 10:07:36 2011 +0800
7Dexuan Cui <dexuan.cui@intel.com>
8
9diff --git a/sender.c b/sender.c
10index 6fcaa65..053a8f1 100644
11--- a/sender.c
12+++ b/sender.c
13@@ -123,6 +123,7 @@ void successful_send(int ndx)
14 char fname[MAXPATHLEN];
15 struct file_struct *file;
16 unsigned int offset;
17+ size_t l = 0;
18
19 if (ndx < 0 || ndx >= the_file_list->count)
20 return;
21@@ -133,6 +134,20 @@ void successful_send(int ndx)
22 file->dir.root, "/", NULL);
23 } else
24 offset = 0;
25+
26+ l = offset + 1;
27+ if (file) {
28+ if (file->dirname)
29+ l += strlen(file->dirname);
30+ if (file->basename)
31+ l += strlen(file->basename);
32+ }
33+
34+ if (l >= sizeof(fname)) {
35+ rprintf(FERROR, "Overlong pathname\n");
36+ exit_cleanup(RERR_FILESELECT);
37+ }
38+
39 f_name(file, fname + offset);
40 if (remove_source_files) {
41 if (do_unlink(fname) == 0) {
42@@ -224,6 +239,7 @@ void send_files(struct file_list *flist, int f_out, int f_in)
43 enum logcode log_code = log_before_transfer ? FLOG : FINFO;
44 int f_xfer = write_batch < 0 ? batch_fd : f_out;
45 int i, j;
46+ size_t l = 0;
47
48 if (verbose > 2)
49 rprintf(FINFO, "send_files starting\n");
50@@ -259,6 +275,20 @@ void send_files(struct file_list *flist, int f_out, int f_in)
51 fname[offset++] = '/';
52 } else
53 offset = 0;
54+
55+ l = offset + 1;
56+ if (file) {
57+ if (file->dirname)
58+ l += strlen(file->dirname);
59+ if (file->basename)
60+ l += strlen(file->basename);
61+ }
62+
63+ if (l >= sizeof(fname)) {
64+ rprintf(FERROR, "Overlong pathname\n");
65+ exit_cleanup(RERR_FILESELECT);
66+ }
67+
68 fname2 = f_name(file, fname + offset);
69
70 if (verbose > 2)