search for: dget_len

...rsync-qa at samba.org A suspicious integer overflow is found in xattrs.c:692. The code snippet is as follows. 684 for (num = 1; num <= count; num++) { 685 char *ptr, *name; 686 rsync_xa *rxa; 687 size_t name_len = read_varint(f); 688 size_t datum_len = read_varint(f); 689 size_t dget_len = datum_len > MAX_FULL_DATUM ? 1 + MAX_DIGEST_LEN : datum_len; 690 size_t extra_len = MIGHT_NEED_RPRE ? RPRE_LEN : 0; 691 if ((dget_len + extra_len < dget_len) 692 || (dget_len + extra_len + name_len < dget_len)) 693 overflow_exit("receive_xattr"); 694 ptr = n...

...e snippets are from xattrs.c in receive_xattr a name is read from the sender. The name might need to be prefixed depending on am_root. To make room for this prefix extra_len is possibly allocated. 818 size_t extra_len = MIGHT_NEED_RPRE ? RPRE_LEN : 0; 822 ptr = new_array(char, dget_len + extra_len + name_len); <-- the length values are received from the sender. In this case I'm sending dget_len = 0 61 #ifdef HAVE_LINUX_XATTRS 62 #define MIGHT_NEED_RPRE (am_root < 0) The issue is that am_root < 0 isn't the only time that a prefix might be prepended to name....