Index: rsync/NEWS diff -u /dev/null rsync/NEWS:1.26.4.2 --- /dev/null Fri Jan 25 15:35:23 2002 +++ rsync/NEWS Fri Jan 25 15:31:06 2002 @@ -0,0 +1,7 @@ +rsync 2.3.3 (26 Jan 2002) + + SECURITY FIXES: + + * Signedness security patch from Sebastian Krahmer + -- in some cases we were not sufficiently + careful about reading integers from the network. Index: rsync/exclude.c diff -u rsync/exclude.c:1.28 rsync/exclude.c:1.28.2.1 --- rsync/exclude.c:1.28 Mon Nov 8 01:12:42 1999 +++ rsync/exclude.c Thu Jan 24 19:13:35 2002 @@ -298,7 +298,8 @@ void recv_exclude_list(int f) { char line[MAXPATHLEN]; - int l; + unsigned int l; + while ((l=read_int(f))) { if (l >= MAXPATHLEN) overflow("recv_exclude_list"); read_sbuf(f,line,l); Index: rsync/fileio.c diff -u rsync/fileio.c:1.3 rsync/fileio.c:1.3.18.1 --- rsync/fileio.c:1.3 Wed Dec 30 06:48:45 1998 +++ rsync/fileio.c Thu Jan 24 19:13:35 2002 @@ -36,7 +36,7 @@ } -static int write_sparse(int f,char *buf,int len) +static int write_sparse(int f,char *buf,size_t len) { int l1=0,l2=0; int ret; @@ -69,7 +69,7 @@ -int write_file(int f,char *buf,int len) +int write_file(int f,char *buf,size_t len) { int ret = 0; Index: rsync/flist.c diff -u rsync/flist.c:1.78 rsync/flist.c:1.78.2.1 --- rsync/flist.c:1.78 Sat Oct 30 19:19:24 1999 +++ rsync/flist.c Thu Jan 24 19:13:35 2002 @@ -282,7 +282,7 @@ static gid_t last_gid; static char lastname[MAXPATHLEN]; char thisname[MAXPATHLEN]; - int l1=0,l2=0; + unsigned int l1=0,l2=0; char *p; struct file_struct *file; @@ -345,6 +345,10 @@ if (preserve_links && S_ISLNK(file->mode)) { int l = read_int(f); + if (l < 0) { + rprintf(FERROR,"overflow: l=%d\n", l); + overflow("receive_file_entry"); + } file->link = (char *)malloc(l+1); if (!file->link) out_of_memory("receive_file_entry 2"); read_sbuf(f,file->link,l); Index: rsync/io.c diff -u rsync/io.c:1.59 rsync/io.c:1.59.2.1 --- rsync/io.c:1.59 Sat Nov 14 15:31:58 1998 +++ rsync/io.c Thu Jan 24 19:13:35 2002 @@ -75,7 +75,7 @@ /* read from a socket with IO timeout. return the number of bytes read. If no bytes can be read then exit, never return a number <= 0 */ -static int read_timeout(int fd, char *buf, int len) +static int read_timeout(int fd, char *buf, size_t len) { int n, ret=0; @@ -137,7 +137,7 @@ /* continue trying to read len bytes - don't return until len has been read */ -static void read_loop(int fd, char *buf, int len) +static void read_loop(int fd, char *buf, size_t len) { while (len) { int n = read_timeout(fd, buf, len); @@ -150,7 +150,7 @@ /* read from the file descriptor handling multiplexing - return number of bytes read never return <= 0 */ -static int read_unbuffered(int fd, char *buf, int len) +static int read_unbuffered(int fd, char *buf, size_t len) { static int remaining; char ibuf[4]; @@ -237,7 +237,7 @@ /* do a buffered read from fd. don't return until all N bytes have been read. If all N can't be read then exit with an error */ -static void readfd(int fd,char *buffer,int N) +static void readfd(int fd,char *buffer,size_t N) { int ret; int total=0; @@ -303,12 +303,12 @@ return ret; } -void read_buf(int f,char *buf,int len) +void read_buf(int f,char *buf,size_t len) { readfd(f,buf,len); } -void read_sbuf(int f,char *buf,int len) +void read_sbuf(int f,char *buf,size_t len) { read_buf(f,buf,len); buf[len] = 0; @@ -326,7 +326,7 @@ /* write len bytes to fd, possibly reading from buffer_f_in if set in order to unclog the pipe. don't return until all len bytes have been written */ -static void writefd_unbuffered(int fd,char *buf,int len) +static void writefd_unbuffered(int fd,char *buf,size_t len) { int total = 0; fd_set w_fds, r_fds; @@ -439,7 +439,7 @@ } } -static void writefd(int fd,char *buf,int len) +static void writefd(int fd,char *buf,size_t len) { stats.total_written += len; @@ -486,7 +486,7 @@ writefd(f,b,8); } -void write_buf(int f,char *buf,int len) +void write_buf(int f,char *buf,size_t len) { writefd(f,buf,len); } @@ -503,7 +503,7 @@ write_buf(f,(char *)&c,1); } -int read_line(int f, char *buf, int maxlen) +int read_line(int f, char *buf, size_t maxlen) { eof_error = 0; @@ -570,7 +570,7 @@ } /* write an message to the error stream */ -int io_multiplex_write(int f, char *buf, int len) +int io_multiplex_write(int f, char *buf, size_t len) { if (!io_multiplexing_out) return 0; Index: rsync/log.c diff -u rsync/log.c:1.35 rsync/log.c:1.35.2.1 --- rsync/log.c:1.35 Tue Feb 9 09:25:36 1999 +++ rsync/log.c Thu Jan 24 19:13:35 2002 @@ -192,6 +192,8 @@ extern int am_daemon; int64 b; + memset(buf,0,sizeof(buf)); + strlcpy(buf, format, sizeof(buf)); for (s=&buf[0]; @@ -253,7 +255,7 @@ l = strlen(n); - if ((l-1) + ((int)(s - &buf[0])) > sizeof(buf)) { + if (l + ((int)(s - &buf[0])) > sizeof(buf)) { rprintf(FERROR,"buffer overflow expanding %%%c - exiting\n", p[0]); exit_cleanup(RERR_MESSAGEIO); Index: rsync/proto.h diff -u rsync/proto.h:1.106 rsync/proto.h:1.106.2.1 --- rsync/proto.h:1.106 Sat Oct 30 20:21:02 1999 +++ rsync/proto.h Thu Jan 24 19:13:35 2002 @@ -36,7 +36,7 @@ void add_include_line(char *p); void add_cvs_excludes(void); int sparse_end(int f); -int write_file(int f,char *buf,int len); +int write_file(int f,char *buf,size_t len); struct map_struct *map_file(int fd,OFF_T len); char *map_ptr(struct map_struct *map,OFF_T offset,int len); void unmap_file(struct map_struct *map); @@ -58,21 +58,21 @@ void setup_readbuffer(int f_in); int32 read_int(int f); int64 read_longint(int f); -void read_buf(int f,char *buf,int len); -void read_sbuf(int f,char *buf,int len); +void read_buf(int f,char *buf,size_t len); +void read_sbuf(int f,char *buf,size_t len); unsigned char read_byte(int f); void io_start_buffering(int fd); void io_flush(void); void io_end_buffering(int fd); void write_int(int f,int32 x); void write_longint(int f, int64 x); -void write_buf(int f,char *buf,int len); +void write_buf(int f,char *buf,size_t len); void write_byte(int f,unsigned char c); -int read_line(int f, char *buf, int maxlen); +int read_line(int f, char *buf, size_t maxlen); void io_printf(int fd, const char *format, ...); void io_start_multiplex_out(int fd); void io_start_multiplex_in(int fd); -int io_multiplex_write(int f, char *buf, int len); +int io_multiplex_write(int f, char *buf, size_t len); void io_close_input(int fd); char *lp_motd_file(void); char *lp_log_file(void); Index: rsync/receiver.c diff -u rsync/receiver.c:1.21 rsync/receiver.c:1.21.2.1 --- rsync/receiver.c:1.21 Mon Nov 8 05:03:05 1999 +++ rsync/receiver.c Thu Jan 24 19:13:35 2002 @@ -200,7 +200,8 @@ static int receive_data(int f_in,struct map_struct *buf,int fd,char *fname, OFF_T total_size) { - int i,n,remainder,len,count; + int i; + unsigned int n,remainder,len,count; OFF_T offset = 0; OFF_T offset2; char *data; Index: rsync/rsync.h diff -u rsync/rsync.h:1.83 rsync/rsync.h:1.83.2.1 --- rsync/rsync.h:1.83 Fri Jun 25 18:06:38 1999 +++ rsync/rsync.h Thu Jan 24 19:13:35 2002 @@ -323,9 +323,9 @@ struct sum_struct { OFF_T flength; /* total file length */ - int count; /* how many chunks */ - int remainder; /* flength % block_length */ - int n; /* block_length */ + size_t count; /* how many chunks */ + size_t remainder; /* flength % block_length */ + size_t n; /* block_length */ struct sum_buf *sums; /* points to info for each chunk */ }; Index: rsync/util.c diff -u rsync/util.c:1.72 rsync/util.c:1.72.2.1 --- rsync/util.c:1.72 Mon Oct 25 15:04:09 1999 +++ rsync/util.c Thu Jan 24 19:13:35 2002 @@ -229,7 +229,7 @@ derived from GNU C's cccp.c. */ -static int full_write(int desc, char *ptr, int len) +static int full_write(int desc, char *ptr, size_t len) { int total_written; @@ -255,11 +255,11 @@ for an error. derived from GNU C's cccp.c. */ -static int safe_read(int desc, char *ptr, int len) +static int safe_read(int desc, char *ptr, size_t len) { int n_chars; - if (len <= 0) + if (len == 0) return len; #ifdef EINTR Index: rsync/version.h diff -u rsync/version.h:1.55 rsync/version.h:1.55.2.2 --- rsync/version.h:1.55 Mon Nov 8 05:15:48 1999 +++ rsync/version.h Fri Jan 25 15:31:06 2002 @@ -1 +1 @@ -#define VERSION "2.3.2" +#define VERSION "2.3.3"