search for: rpre_len

...".", ".", "\0"}; code snippets are from xattrs.c in receive_xattr a name is read from the sender. The name might need to be prefixed depending on am_root. To make room for this prefix extra_len is possibly allocated. 818 size_t extra_len = MIGHT_NEED_RPRE ? RPRE_LEN : 0; 822 ptr = new_array(char, dget_len + extra_len + name_len); <-- the length values are received from the sender. In this case I'm sending dget_len = 0 61 #ifdef HAVE_LINUX_XATTRS 62 #define MIGHT_NEED_RPRE (am_root < 0) The issue is that am_root < 0 isn't the on...

...+1043,9 @@ static int rsync_xal_set(const char *fname, item_list *xalp, if (user_only ? !HAS_PREFIX(name, USER_PREFIX) : HAS_PREFIX(name, SYSTEM_PREFIX)) continue; + + if (!strcmp(name, "security.evm")) + continue; #endif if (am_root < 0 && name_len > RPRE_LEN && name[RPRE_LEN] == '%' && strcmp(name, XSTAT_ATTR) == 0) -- 2.7.4

https://bugzilla.samba.org/show_bug.cgi?id=13112 Bug ID: 13112 Summary: receive_xattr heap overread with non null terminated name and xattr filter Product: rsync Version: 3.1.3 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: core

...(num = 1; num <= count; num++) { 685 char *ptr, *name; 686 rsync_xa *rxa; 687 size_t name_len = read_varint(f); 688 size_t datum_len = read_varint(f); 689 size_t dget_len = datum_len > MAX_FULL_DATUM ? 1 + MAX_DIGEST_LEN : datum_len; 690 size_t extra_len = MIGHT_NEED_RPRE ? RPRE_LEN : 0; 691 if ((dget_len + extra_len < dget_len) 692 || (dget_len + extra_len + name_len < dget_len)) 693 overflow_exit("receive_xattr"); 694 ptr = new_array(char, dget_len + extra_len + name_len); 695 if (!ptr) 696 out_of_memory("receive_xattr");...