samba-bugs at samba.org
2015-Jul-04 07:57 UTC
[Bug 11383] New: rsync_panic_handler may execute incomplete command
https://bugzilla.samba.org/show_bug.cgi?id=11383 Bug ID: 11383 Summary: rsync_panic_handler may execute incomplete command Product: rsync Version: 3.1.1 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: core Assignee: wayned at samba.org Reporter: brant at gurganus.name QA Contact: rsync-qa at samba.org The rsync_panic_handler currently defined at line 1490 of main.c writes into a fixed size cmd_buf at line 1492 a non-controlled value returned ultimately in get_panic_action() using snprintf at line 1495. The combined values destined for cmd_buf by way of snprintf may be greater than the 300 character buffer. This is not checked. Consequently, a command may attempt to execute that was not intended. To address this specific issue, if the snprintf function returns a value greater than or equal to the size of cmd_buf, cmd_buf either needs enlarged or some informative action should occur. It should not take the current path of executing an incomplete command. The glibc manual suggests calling asprintf instead of snprintf to dynamically allocate sufficient space for cmd_buf though dynamic memory allocation is a possible failure point which may not be the best for this code path for signal handling. I believe there may be some issues as well in that the result of get_panic_action is not validated for its usage, and I believe the printf family of functions can do non-failing information disclosure sorts of behaviors if there are more format parameters than passed in. There is a parse_printf_format function in glibc at least that could be used to validate the format matches the inputs given to it instead of possibly leaking stack values occurring after the arguments to snprintf. -- You are receiving this mail because: You are the QA Contact for the bug.
Apparently Analagous Threads
- [Bug 11369] New: obsoleted autoconf macros
- [Bug 11813] New: m4/socklen_t.m4 uses obsolete AC_TRY_COMPILE macro
- [Bug 11814] New: man-copy Make target missing rsync.1 and rsyncd.conf.5 dependencies
- [Bug 11382] New: elapsed time calculation does not account for time function possibly returning -1
- [Bug 11385] New: calls to functions like close are not wrapped to try again in cases of intermittent interruptions