Bug 4357 - Missing bounds checking in send_files could lead crash
Summary: Missing bounds checking in send_files could lead crash
Status: RESOLVED INVALID
Alias: None
Product: rsync
Classification: Unclassified
Component: core (show other bugs)
Version: 2.6.9
Hardware: x86 Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Wayne Davison
QA Contact: Rsync QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-26 07:44 UTC by Dave
Modified: 2007-01-26 17:00 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dave 2007-01-26 07:44:33 UTC
In sender.c / send_files  the file index read off the wire is used directly for indexing into the files array without any bounds checking.
This could easily lead to a crash from a malicious client sending bad data. Since the file list is on the heap and not the stack it seems unlikely this could be used to trigger a stack attack, but other attacks may be possible.
Comment 1 Matt McCutchen 2007-01-26 15:12:38 UTC
No, in rsync 2.6.9, the index is checked by read_item_attrs on line 171 of sender.c.

In the current CVS rsync, because of the introduction of file-list chunks, the bounds check has become a search for the file-list chunk that contains the requested index in flist_for_ndx and an error if no such chunk exists (see lines 154 and 407 of rsync.c).
Comment 2 Dave 2007-01-26 17:00:41 UTC
Thanks for the clarrification - missed the exit_cleanup in read_item_attrs