--- rsync-2.6.9.orig/sender.c	2006-09-20 03:53:32.000000000 +0200
+++ rsync-2.6.9/sender.c	2007-07-25 15:33:05.000000000 +0200
@@ -123,6 +123,7 @@
 	char fname[MAXPATHLEN];
 	struct file_struct *file;
 	unsigned int offset;
+	size_t l = 0;
 
 	if (ndx < 0 || ndx >= the_file_list->count)
 		return;
@@ -133,6 +134,20 @@
 				    file->dir.root, "/", NULL);
 	} else
 		offset = 0;
+
+	l = offset + 1;
+	if (file) {
+		if (file->dirname)
+			l += strlen(file->dirname);
+		if (file->basename)
+			l += strlen(file->basename);
+	}
+
+	if (l >= sizeof(fname)) {
+		rprintf(FERROR, "Overlong pathname\n");
+		exit_cleanup(RERR_FILESELECT);
+	}
+
 	f_name(file, fname + offset);
 	if (remove_source_files) {
 		if (do_unlink(fname) == 0) {
@@ -224,6 +239,7 @@
 	enum logcode log_code = log_before_transfer ? FLOG : FINFO;
 	int f_xfer = write_batch < 0 ? batch_fd : f_out;
 	int i, j;
+	size_t l = 0;
 
 	if (verbose > 2)
 		rprintf(FINFO, "send_files starting\n");
@@ -259,6 +275,20 @@
 				fname[offset++] = '/';
 		} else
 			offset = 0;
+
+		l = offset + 1;
+		if (file) {
+			if (file->dirname)
+				l += strlen(file->dirname);
+			if (file->basename)
+				l += strlen(file->basename);
+		}
+
+		if (l >= sizeof(fname)) {
+			rprintf(FERROR, "Overlong pathname\n");
+			exit_cleanup(RERR_FILESELECT);
+		}
+
 		fname2 = f_name(file, fname + offset);
 
 		if (verbose > 2)