In sender.c / send_files the file index read off the wire is used directly for indexing into the files array without any bounds checking.
This could easily lead to a crash from a malicious client sending bad data. Since the file list is on the heap and not the stack it seems unlikely this could be used to trigger a stack attack, but other attacks may be possible.
No, in rsync 2.6.9, the index is checked by read_item_attrs on line 171 of sender.c.
In the current CVS rsync, because of the introduction of file-list chunks, the bounds check has become a search for the file-list chunk that contains the requested index in flist_for_ndx and an error if no such chunk exists (see lines 154 and 407 of rsync.c).
Thanks for the clarrification - missed the exit_cleanup in read_item_attrs