[packages/rsync.git] / rsync-CVE-2007-4091.patch

--- rsync-2.6.9.orig/sender.c	2006-09-20 03:53:32.000000000 +0200
+++ rsync-2.6.9/sender.c	2007-07-25 15:33:05.000000000 +0200
@@ -123,6 +123,7 @@
 	char fname[MAXPATHLEN];
 	struct file_struct *file;
 	unsigned int offset;
+	size_t l = 0;
 
 	if (ndx < 0 || ndx >= the_file_list->count)
 		return;
@@ -133,6 +134,20 @@
 				    file->dir.root, "/", NULL);
 	} else
 		offset = 0;
+
+	l = offset + 1;
+	if (file) {
+		if (file->dirname)
+			l += strlen(file->dirname);
+		if (file->basename)
+			l += strlen(file->basename);
+	}
+
+	if (l >= sizeof(fname)) {
+		rprintf(FERROR, "Overlong pathname\n");
+		exit_cleanup(RERR_FILESELECT);
+	}
+
 	f_name(file, fname + offset);
 	if (remove_source_files) {
 		if (do_unlink(fname) == 0) {
@@ -224,6 +239,7 @@
 	enum logcode log_code = log_before_transfer ? FLOG : FINFO;
 	int f_xfer = write_batch < 0 ? batch_fd : f_out;
 	int i, j;
+	size_t l = 0;
 
 	if (verbose > 2)
 		rprintf(FINFO, "send_files starting\n");
@@ -259,6 +275,20 @@
 				fname[offset++] = '/';
 		} else
 			offset = 0;
+
+		l = offset + 1;
+		if (file) {
+			if (file->dirname)
+				l += strlen(file->dirname);
+			if (file->basename)
+				l += strlen(file->basename);
+		}
+
+		if (l >= sizeof(fname)) {
+			rprintf(FERROR, "Overlong pathname\n");
+			exit_cleanup(RERR_FILESELECT);
+		}
+
 		fname2 = f_name(file, fname + offset);
 
 		if (verbose > 2)
Commit	Line	Data
4c1f2ed7 AG	1	--- rsync-2.6.9.orig/sender.c 2006-09-20 03:53:32.000000000 +0200
	2	+++ rsync-2.6.9/sender.c 2007-07-25 15:33:05.000000000 +0200
	3	@@ -123,6 +123,7 @@
	4	char fname[MAXPATHLEN];
	5	struct file_struct *file;
	6	unsigned int offset;
	7	+ size_t l = 0;
	8
	9	if (ndx < 0 \|\| ndx >= the_file_list->count)
	10	return;
	11	@@ -133,6 +134,20 @@
	12	file->dir.root, "/", NULL);
	13	} else
	14	offset = 0;
	15	+
	16	+ l = offset + 1;
	17	+ if (file) {
	18	+ if (file->dirname)
	19	+ l += strlen(file->dirname);
	20	+ if (file->basename)
	21	+ l += strlen(file->basename);
	22	+ }
	23	+
	24	+ if (l >= sizeof(fname)) {
	25	+ rprintf(FERROR, "Overlong pathname\n");
	26	+ exit_cleanup(RERR_FILESELECT);
	27	+ }
	28	+
	29	f_name(file, fname + offset);
	30	if (remove_source_files) {
	31	if (do_unlink(fname) == 0) {
	32	@@ -224,6 +239,7 @@
	33	enum logcode log_code = log_before_transfer ? FLOG : FINFO;
	34	int f_xfer = write_batch < 0 ? batch_fd : f_out;
	35	int i, j;
	36	+ size_t l = 0;
	37
	38	if (verbose > 2)
	39	rprintf(FINFO, "send_files starting\n");
	40	@@ -259,6 +275,20 @@
	41	fname[offset++] = '/';
	42	} else
	43	offset = 0;
	44	+
	45	+ l = offset + 1;
	46	+ if (file) {
	47	+ if (file->dirname)
	48	+ l += strlen(file->dirname);
	49	+ if (file->basename)
	50	+ l += strlen(file->basename);
	51	+ }
	52	+
	53	+ if (l >= sizeof(fname)) {
	54	+ rprintf(FERROR, "Overlong pathname\n");
	55	+ exit_cleanup(RERR_FILESELECT);
	56	+ }
	57	+
	58	fname2 = f_name(file, fname + offset);
	59
	60	if (verbose > 2)