1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-22 04:17:44 +00:00

Fix a signedness security vunerability discovered by Todd@openbsd.org where

rsync was not sufficiently careful about reading integers from the network.
This is fixed in the rsync CVS repo by a patch from Sebastian Krahmer
<krahmer@suse.de>.

Submitted by:	naddy
Approved by:	steve
Obtained from:	rsync CVS repo
This commit is contained in:
David E. O'Brien 2002-01-23 23:32:21 +00:00
parent 74946ad603
commit 4bbf513623
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=53661
2 changed files with 316 additions and 0 deletions

View File

@ -8,6 +8,7 @@
PORTNAME= rsync
PORTVERSION= 2.5.1
PORTREVISION= 1
CATEGORIES= net ipv6
MASTER_SITES= ftp://samba.anu.edu.au/pub/rsync/ \
ftp://sunsite.auc.dk/pub/unix/rsync/ \

View File

@ -0,0 +1,315 @@
Index: exclude.c
diff -u exclude.c:1.38 exclude.c:1.39
--- exclude.c:1.38 Wed Jun 20 23:15:34 2001
+++ exclude.c Tue Jan 22 20:57:18 2002
@@ -299,7 +299,8 @@
void recv_exclude_list(int f)
{
char line[MAXPATHLEN];
- int l;
+ unsigned int l;
+
while ((l=read_int(f))) {
if (l >= MAXPATHLEN) overflow("recv_exclude_list");
read_sbuf(f,line,l);
Index: fileio.c
diff -u fileio.c:1.3 fileio.c:1.4
--- fileio.c:1.3 Wed Dec 30 06:48:45 1998
+++ fileio.c Tue Jan 22 20:57:18 2002
@@ -36,7 +36,7 @@
}
-static int write_sparse(int f,char *buf,int len)
+static int write_sparse(int f,char *buf,size_t len)
{
int l1=0,l2=0;
int ret;
@@ -69,7 +69,7 @@
-int write_file(int f,char *buf,int len)
+int write_file(int f,char *buf,size_t len)
{
int ret = 0;
Index: flist.c
diff -u flist.c:1.102 flist.c:1.103
--- flist.c:1.102 Tue Jan 15 03:50:32 2002
+++ flist.c Tue Jan 22 20:57:18 2002
@@ -375,7 +375,7 @@
static gid_t last_gid;
static char lastname[MAXPATHLEN];
char thisname[MAXPATHLEN];
- int l1=0,l2=0;
+ unsigned int l1=0,l2=0;
char *p;
struct file_struct *file;
@@ -442,6 +442,10 @@
if (preserve_links && S_ISLNK(file->mode)) {
int l = read_int(f);
+ if (l < 0) {
+ rprintf(FERROR,"overflow: l=%d\n", l);
+ overflow("receive_file_entry");
+ }
file->link = (char *)malloc(l+1);
if (!file->link) out_of_memory("receive_file_entry 2");
read_sbuf(f,file->link,l);
Index: io.c
diff -u io.c:1.87 io.c:1.88
--- io.c:1.87 Sat Sep 8 21:42:09 2001
+++ io.c Tue Jan 22 20:57:18 2002
@@ -49,7 +49,7 @@
static int io_error_fd = -1;
-static void read_loop(int fd, char *buf, int len);
+static void read_loop(int fd, char *buf, size_t len);
static void check_timeout(void)
{
@@ -163,7 +163,7 @@
* give a better explanation. We can tell whether the connection has
* started by looking e.g. at whether the remote version is known yet.
*/
-static int read_timeout (int fd, char *buf, int len)
+static int read_timeout (int fd, char *buf, size_t len)
{
int n, ret=0;
@@ -236,7 +236,7 @@
/*! Continue trying to read len bytes - don't return until len has
been read. */
-static void read_loop (int fd, char *buf, int len)
+static void read_loop (int fd, char *buf, size_t len)
{
while (len) {
int n = read_timeout(fd, buf, len);
@@ -253,7 +253,7 @@
*
* Never returns <= 0.
*/
-static int read_unbuffered(int fd, char *buf, int len)
+static int read_unbuffered(int fd, char *buf, size_t len)
{
static int remaining;
int tag, ret=0;
@@ -305,7 +305,7 @@
/* do a buffered read from fd. don't return until all N bytes
have been read. If all N can't be read then exit with an error */
-static void readfd (int fd, char *buffer, int N)
+static void readfd (int fd, char *buffer, size_t N)
{
int ret;
int total=0;
@@ -356,12 +356,12 @@
return ret;
}
-void read_buf(int f,char *buf,int len)
+void read_buf(int f,char *buf,size_t len)
{
readfd(f,buf,len);
}
-void read_sbuf(int f,char *buf,int len)
+void read_sbuf(int f,char *buf,size_t len)
{
read_buf (f,buf,len);
buf[len] = 0;
@@ -375,7 +375,7 @@
}
/* write len bytes to fd */
-static void writefd_unbuffered(int fd,char *buf,int len)
+static void writefd_unbuffered(int fd,char *buf,size_t len)
{
int total = 0;
fd_set w_fds, r_fds;
@@ -483,7 +483,7 @@
/* write an message to a multiplexed stream. If this fails then rsync
exits */
-static void mplex_write(int fd, enum logcode code, char *buf, int len)
+static void mplex_write(int fd, enum logcode code, char *buf, size_t len)
{
char buffer[4096];
int n = len;
@@ -533,7 +533,7 @@
}
}
-static void writefd(int fd,char *buf,int len)
+static void writefd(int fd,char *buf,size_t len)
{
stats.total_written += len;
@@ -587,7 +587,7 @@
writefd(f,b,8);
}
-void write_buf(int f,char *buf,int len)
+void write_buf(int f,char *buf,size_t len)
{
writefd(f,buf,len);
}
@@ -606,7 +606,7 @@
-int read_line(int f, char *buf, int maxlen)
+int read_line(int f, char *buf, size_t maxlen)
{
while (maxlen) {
buf[0] = 0;
@@ -664,7 +664,7 @@
}
/* write an message to the multiplexed error stream */
-int io_multiplex_write(enum logcode code, char *buf, int len)
+int io_multiplex_write(enum logcode code, char *buf, size_t len)
{
if (!io_multiplexing_out) return 0;
Index: log.c
diff -u log.c:1.53 log.c:1.54
--- log.c:1.53 Mon Sep 3 20:12:55 2001
+++ log.c Tue Jan 22 20:57:18 2002
@@ -466,7 +466,7 @@
l = strlen(n);
- if ((l-1) + ((int)(s - &buf[0])) > sizeof(buf)) {
+ if (l + ((int)(s - &buf[0])) >= sizeof(buf)) {
rprintf(FERROR,"buffer overflow expanding %%%c - exiting\n",
p[0]);
exit_cleanup(RERR_MESSAGEIO);
Index: proto.h
diff -u proto.h:1.133 proto.h:1.134
--- proto.h:1.133 Sun Nov 25 23:18:09 2001
+++ proto.h Tue Jan 22 20:57:18 2002
@@ -15,10 +15,12 @@
unsigned char read_batch_flags();
void read_batch_flist_info(struct file_struct **fptr);
void write_batch_csums_file(char *buff, int bytes_to_write);
-void close_batch_csums_file() ;
-void write_batch_csum_info(int *flist_entry, int flist_count, struct sum_struct *s);
+void close_batch_csums_file();
+void write_batch_csum_info(int *flist_entry, int flist_count,
+ struct sum_struct *s);
int read_batch_csums_file(char *buff, int len);
-void read_batch_csum_info(int flist_entry, struct sum_struct *s, int *checksums_match);
+void read_batch_csum_info(int flist_entry, struct sum_struct *s,
+ int *checksums_match);
void write_batch_delta_file(char *buff, int bytes_to_write);
void close_batch_delta_file();
int read_batch_delta_file(char *buff, int len);
@@ -55,7 +57,7 @@
void add_include_line(char *p);
void add_cvs_excludes(void);
int sparse_end(int f);
-int write_file(int f,char *buf,int len);
+int write_file(int f,char *buf,size_t len);
struct map_struct *map_file(int fd,OFF_T len);
char *map_ptr(struct map_struct *map,OFF_T offset,int len);
void unmap_file(struct map_struct *map);
@@ -81,21 +83,21 @@
void io_set_error_fd(int fd);
int32 read_int(int f);
int64 read_longint(int f);
-void read_buf(int f,char *buf,int len);
-void read_sbuf(int f,char *buf,int len);
+void read_buf(int f,char *buf,size_t len);
+void read_sbuf(int f,char *buf,size_t len);
unsigned char read_byte(int f);
void io_start_buffering(int fd);
void io_flush(void);
void io_end_buffering(int fd);
void write_int(int f,int32 x);
void write_longint(int f, int64 x);
-void write_buf(int f,char *buf,int len);
+void write_buf(int f,char *buf,size_t len);
void write_byte(int f,unsigned char c);
-int read_line(int f, char *buf, int maxlen);
+int read_line(int f, char *buf, size_t maxlen);
void io_printf(int fd, const char *format, ...);
void io_start_multiplex_out(int fd);
void io_start_multiplex_in(int fd);
-int io_multiplex_write(enum logcode code, char *buf, int len);
+int io_multiplex_write(enum logcode code, char *buf, size_t len);
void io_multiplexing_close(void);
char *lp_motd_file(void);
char *lp_log_file(void);
@@ -166,6 +168,9 @@
void sig_int(void);
void finish_transfer(char *fname, char *fnametmp, struct file_struct *file);
void send_files(struct file_list *flist,int f_out,int f_in);
+int try_bind_local(int s,
+ int ai_family, int ai_socktype,
+ const char *bind_address);
int open_socket_out(char *host, int port, const char *bind_address,
int af_hint);
int open_socket_out_wrapped (char *host,
Index: receiver.c
diff -u receiver.c:1.34 receiver.c:1.35
--- receiver.c:1.34 Fri Jan 11 00:25:33 2002
+++ receiver.c Tue Jan 22 20:57:18 2002
@@ -206,7 +206,8 @@
static int receive_data(int f_in,struct map_struct *buf,int fd,char *fname,
OFF_T total_size)
{
- int i,n,remainder,len,count;
+ int i;
+ unsigned int n,remainder,len,count;
OFF_T offset = 0;
OFF_T offset2;
char *data;
Index: rsync.h
diff -u rsync.h:1.116 rsync.h:1.117
--- rsync.h:1.116 Fri Jan 11 00:37:42 2002
+++ rsync.h Tue Jan 22 20:57:19 2002
@@ -374,9 +374,9 @@
struct sum_struct {
OFF_T flength; /* total file length */
- int count; /* how many chunks */
- int remainder; /* flength % block_length */
- int n; /* block_length */
+ size_t count; /* how many chunks */
+ size_t remainder; /* flength % block_length */
+ size_t n; /* block_length */
struct sum_buf *sums; /* points to info for each chunk */
};
Index: util.c
diff -u util.c:1.98 util.c:1.99
--- util.c:1.98 Tue Jan 15 02:05:28 2002
+++ util.c Tue Jan 22 20:57:19 2002
@@ -275,7 +275,7 @@
derived from GNU C's cccp.c.
*/
-static int full_write(int desc, char *ptr, int len)
+static int full_write(int desc, char *ptr, size_t len)
{
int total_written;
@@ -301,11 +301,11 @@
for an error.
derived from GNU C's cccp.c. */
-static int safe_read(int desc, char *ptr, int len)
+static int safe_read(int desc, char *ptr, size_t len)
{
int n_chars;
- if (len <= 0)
+ if (len == 0)
return len;
#ifdef EINTR