thr3ads.net - rsync - DO NOT REPLY [Bug 4357] New: Missing bounds checking in send

If this information is useful, please help other people find it:
Share via:

samba-bugs@samba.org

2007-Jan-26 13:45 UTC

DO NOT REPLY [Bug 4357] New: Missing bounds checking in send_files could lead crash

https://bugzilla.samba.org/show_bug.cgi?id=4357

           Summary: Missing bounds checking in send_files could lead crash
           Product: rsync
           Version: 2.6.9
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: core
        AssignedTo: wayned@samba.org
        ReportedBy: developer@jungledisk.com
         QAContact: rsync-qa@samba.org


In sender.c / send_files  the file index read off the wire is used directly for
indexing into the files array without any bounds checking.
This could easily lead to a crash from a malicious client sending bad data.
Since the file list is on the heap and not the stack it seems unlikely this
could be used to trigger a stack attack, but other attacks may be possible.


-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

samba-bugs@samba.org

2007-Jan-26 21:13 UTC

head link

DO NOT REPLY [Bug 4357] Missing bounds checking in send_files could lead crash

https://bugzilla.samba.org/show_bug.cgi?id=4357





------- Comment #1 from hashproduct+rsync@gmail.com  2007-01-26 15:12 MST
-------
No, in rsync 2.6.9, the index is checked by read_item_attrs on line 171 of
sender.c.

In the current CVS rsync, because of the introduction of file-list chunks, the
bounds check has become a search for the file-list chunk that contains the
requested index in flist_for_ndx and an error if no such chunk exists (see
lines 154 and 407 of rsync.c).


-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

samba-bugs@samba.org

2007-Jan-26 23:01 UTC

head link

DO NOT REPLY [Bug 4357] Missing bounds checking in send_files could lead crash

https://bugzilla.samba.org/show_bug.cgi?id=4357


developer@jungledisk.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Comment #2 from developer@jungledisk.com  2007-01-26 17:00 MST -------
Thanks for the clarrification - missed the exit_cleanup in read_item_attrs


-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

Possibly Parallel Threads

Search for more possibly parallel threads

rsync - Jan 2007 - DO NOT REPLY [Bug 4357] New: Missing bounds checking in send_files could lead crash

DO NOT REPLY [Bug 4357] New: Missing bounds checking in send_files could lead crash

DO NOT REPLY [Bug 4357] Missing bounds checking in send_files could lead crash

DO NOT REPLY [Bug 4357] Missing bounds checking in send_files could lead crash

Possibly Parallel Threads