rsync - Jul 2015 - [Bug 11383] New: rsync_panic_handler may execute incomplete command

https://bugzilla.samba.org/show_bug.cgi?id=11383

            Bug ID: 11383
           Summary: rsync_panic_handler may execute incomplete command
           Product: rsync
           Version: 3.1.1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: core
          Assignee: wayned at samba.org
          Reporter: brant at gurganus.name
        QA Contact: rsync-qa at samba.org

The rsync_panic_handler currently defined at line 1490 of main.c writes into a
fixed size cmd_buf at line 1492 a non-controlled value returned ultimately in
get_panic_action() using snprintf at line 1495. The combined values destined
for cmd_buf by way of snprintf may be greater than the 300 character buffer.
This is not checked. Consequently, a command may attempt to execute that was
not intended.

To address this specific issue, if the snprintf function returns a value
greater than or equal to the size of cmd_buf, cmd_buf either needs enlarged or
some informative action should occur. It should not take the current path of
executing an incomplete command. The glibc manual suggests calling asprintf
instead of snprintf to dynamically allocate sufficient space for cmd_buf though
dynamic memory allocation is a possible failure point which may not be the best
for this code path for signal handling.

I believe there may be some issues as well in that the result of
get_panic_action is not validated for its usage, and I believe the printf
family of functions can do non-failing information disclosure sorts of
behaviors if there are more format parameters than passed in. There is a
parse_printf_format function in glibc at least that could be used to validate
the format matches the inputs given to it instead of possibly leaking stack
values occurring after the arguments to snprintf.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.