Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | Upstream-Status: Backport [ The patch is rsync-2.6.9 specific ] |
| 2 | |
| 3 | The patch is from https://issues.rpath.com/browse/RPL-1647 and is used to |
| 4 | address http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4091 |
| 5 | |
| 6 | Date: Tue May 10 10:07:36 2011 +0800 |
| 7 | Dexuan Cui <dexuan.cui@intel.com> |
| 8 | |
| 9 | diff --git a/sender.c b/sender.c |
| 10 | index 6fcaa65..053a8f1 100644 |
| 11 | --- a/sender.c |
| 12 | +++ b/sender.c |
| 13 | @@ -123,6 +123,7 @@ void successful_send(int ndx) |
| 14 | char fname[MAXPATHLEN]; |
| 15 | struct file_struct *file; |
| 16 | unsigned int offset; |
| 17 | + size_t l = 0; |
| 18 | |
| 19 | if (ndx < 0 || ndx >= the_file_list->count) |
| 20 | return; |
| 21 | @@ -133,6 +134,20 @@ void successful_send(int ndx) |
| 22 | file->dir.root, "/", NULL); |
| 23 | } else |
| 24 | offset = 0; |
| 25 | + |
| 26 | + l = offset + 1; |
| 27 | + if (file) { |
| 28 | + if (file->dirname) |
| 29 | + l += strlen(file->dirname); |
| 30 | + if (file->basename) |
| 31 | + l += strlen(file->basename); |
| 32 | + } |
| 33 | + |
| 34 | + if (l >= sizeof(fname)) { |
| 35 | + rprintf(FERROR, "Overlong pathname\n"); |
| 36 | + exit_cleanup(RERR_FILESELECT); |
| 37 | + } |
| 38 | + |
| 39 | f_name(file, fname + offset); |
| 40 | if (remove_source_files) { |
| 41 | if (do_unlink(fname) == 0) { |
| 42 | @@ -224,6 +239,7 @@ void send_files(struct file_list *flist, int f_out, int f_in) |
| 43 | enum logcode log_code = log_before_transfer ? FLOG : FINFO; |
| 44 | int f_xfer = write_batch < 0 ? batch_fd : f_out; |
| 45 | int i, j; |
| 46 | + size_t l = 0; |
| 47 | |
| 48 | if (verbose > 2) |
| 49 | rprintf(FINFO, "send_files starting\n"); |
| 50 | @@ -259,6 +275,20 @@ void send_files(struct file_list *flist, int f_out, int f_in) |
| 51 | fname[offset++] = '/'; |
| 52 | } else |
| 53 | offset = 0; |
| 54 | + |
| 55 | + l = offset + 1; |
| 56 | + if (file) { |
| 57 | + if (file->dirname) |
| 58 | + l += strlen(file->dirname); |
| 59 | + if (file->basename) |
| 60 | + l += strlen(file->basename); |
| 61 | + } |
| 62 | + |
| 63 | + if (l >= sizeof(fname)) { |
| 64 | + rprintf(FERROR, "Overlong pathname\n"); |
| 65 | + exit_cleanup(RERR_FILESELECT); |
| 66 | + } |
| 67 | + |
| 68 | fname2 = f_name(file, fname + offset); |
| 69 | |
| 70 | if (verbose > 2) |