Index: rsync/NEWS diff -u /dev/null rsync/NEWS:1.26.2.3 --- /dev/null Fri Jan 25 15:35:51 2002 +++ rsync/NEWS Fri Jan 25 15:33:24 2002 @@ -0,0 +1,7 @@ +rsync 2.4.8 (26 Jan 2002) + + SECURITY FIXES: + + * Signedness security patch from Sebastian Krahmer + -- in some cases we were not sufficiently + careful about reading integers from the network. Index: rsync/exclude.c diff -u rsync/exclude.c:1.32 rsync/exclude.c:1.32.6.1 --- rsync/exclude.c:1.32 Mon Aug 28 21:45:49 2000 +++ rsync/exclude.c Thu Jan 24 16:56:35 2002 @@ -263,7 +263,8 @@ void recv_exclude_list(int f) { char line[MAXPATHLEN]; - int l; + unsigned int l; + while ((l=read_int(f))) { if (l >= MAXPATHLEN) overflow("recv_exclude_list"); read_sbuf(f,line,l); Index: rsync/fileio.c diff -u rsync/fileio.c:1.3 rsync/fileio.c:1.3.16.1 --- rsync/fileio.c:1.3 Wed Dec 30 06:48:45 1998 +++ rsync/fileio.c Thu Jan 24 16:56:35 2002 @@ -36,7 +36,7 @@ } -static int write_sparse(int f,char *buf,int len) +static int write_sparse(int f,char *buf,size_t len) { int l1=0,l2=0; int ret; @@ -69,7 +69,7 @@ -int write_file(int f,char *buf,int len) +int write_file(int f,char *buf,size_t len) { int ret = 0; Index: rsync/flist.c diff -u rsync/flist.c:1.88 rsync/flist.c:1.88.6.1 --- rsync/flist.c:1.88 Thu Aug 31 16:01:28 2000 +++ rsync/flist.c Thu Jan 24 16:56:35 2002 @@ -334,7 +334,7 @@ static gid_t last_gid; static char lastname[MAXPATHLEN]; char thisname[MAXPATHLEN]; - int l1=0,l2=0; + unsigned int l1=0,l2=0; char *p; struct file_struct *file; @@ -401,6 +401,10 @@ if (preserve_links && S_ISLNK(file->mode)) { int l = read_int(f); + if (l < 0) { + rprintf(FERROR,"overflow: l=%d\n", l); + overflow("receive_file_entry"); + } file->link = (char *)malloc(l+1); if (!file->link) out_of_memory("receive_file_entry 2"); read_sbuf(f,file->link,l); Index: rsync/io.c diff -u rsync/io.c:1.76 rsync/io.c:1.76.8.1 --- rsync/io.c:1.76 Mon Aug 28 22:07:08 2000 +++ rsync/io.c Thu Jan 24 16:56:35 2002 @@ -41,7 +41,7 @@ static int io_error_fd = -1; -static void read_loop(int fd, char *buf, int len); +static void read_loop(int fd, char *buf, size_t len); static void check_timeout(void) { @@ -106,7 +106,7 @@ /* read from a socket with IO timeout. return the number of bytes read. If no bytes can be read then exit, never return a number <= 0 */ -static int read_timeout(int fd, char *buf, int len) +static int read_timeout(int fd, char *buf, size_t len) { int n, ret=0; @@ -183,7 +183,7 @@ /* continue trying to read len bytes - don't return until len has been read */ -static void read_loop(int fd, char *buf, int len) +static void read_loop(int fd, char *buf, size_t len) { while (len) { int n = read_timeout(fd, buf, len); @@ -196,7 +196,7 @@ /* read from the file descriptor handling multiplexing - return number of bytes read never return <= 0 */ -static int read_unbuffered(int fd, char *buf, int len) +static int read_unbuffered(int fd, char *buf, size_t len) { static int remaining; int tag, ret=0; @@ -248,7 +248,7 @@ /* do a buffered read from fd. don't return until all N bytes have been read. If all N can't be read then exit with an error */ -static void readfd(int fd,char *buffer,int N) +static void readfd(int fd,char *buffer,size_t N) { int ret; int total=0; @@ -299,12 +299,12 @@ return ret; } -void read_buf(int f,char *buf,int len) +void read_buf(int f,char *buf,size_t len) { readfd(f,buf,len); } -void read_sbuf(int f,char *buf,int len) +void read_sbuf(int f,char *buf,size_t len) { read_buf(f,buf,len); buf[len] = 0; @@ -318,7 +318,7 @@ } /* write len bytes to fd */ -static void writefd_unbuffered(int fd,char *buf,int len) +static void writefd_unbuffered(int fd,char *buf,size_t len) { int total = 0; fd_set w_fds, r_fds; @@ -419,7 +419,7 @@ /* write an message to a multiplexed stream. If this fails then rsync exits */ -static void mplex_write(int fd, enum logcode code, char *buf, int len) +static void mplex_write(int fd, enum logcode code, char *buf, size_t len) { char buffer[4096]; int n = len; @@ -475,7 +475,7 @@ } -static void writefd(int fd,char *buf,int len) +static void writefd(int fd,char *buf,size_t len) { stats.total_written += len; @@ -522,7 +522,7 @@ writefd(f,b,8); } -void write_buf(int f,char *buf,int len) +void write_buf(int f,char *buf,size_t len) { writefd(f,buf,len); } @@ -539,7 +539,7 @@ write_buf(f,(char *)&c,1); } -int read_line(int f, char *buf, int maxlen) +int read_line(int f, char *buf, size_t maxlen) { eof_error = 0; @@ -601,7 +601,7 @@ } /* write an message to the multiplexed error stream */ -int io_multiplex_write(enum logcode code, char *buf, int len) +int io_multiplex_write(enum logcode code, char *buf, size_t len) { if (!io_multiplexing_out) return 0; @@ -612,7 +612,7 @@ } /* write a message to the special error fd */ -int io_error_write(int f, enum logcode code, char *buf, int len) +int io_error_write(int f, enum logcode code, char *buf, size_t len) { if (f == -1) return 0; mplex_write(f, code, buf, len); Index: rsync/log.c diff -u rsync/log.c:1.40 rsync/log.c:1.40.6.1 --- rsync/log.c:1.40 Fri Jan 28 21:16:13 2000 +++ rsync/log.c Thu Jan 24 16:56:35 2002 @@ -215,6 +215,8 @@ extern int am_daemon; int64 b; + memset(buf,0,sizeof(buf)); + strlcpy(buf, format, sizeof(buf)); for (s=&buf[0]; @@ -276,7 +278,7 @@ l = strlen(n); - if ((l-1) + ((int)(s - &buf[0])) > sizeof(buf)) { + if (l + ((int)(s - &buf[0])) > sizeof(buf)) { rprintf(FERROR,"buffer overflow expanding %%%c - exiting\n", p[0]); exit_cleanup(RERR_MESSAGEIO); Index: rsync/proto.h diff -u rsync/proto.h:1.122 rsync/proto.h:1.122.10.1 --- rsync/proto.h:1.122 Tue Sep 5 19:12:13 2000 +++ rsync/proto.h Thu Jan 24 16:56:35 2002 @@ -35,7 +35,7 @@ void add_include_line(char *p); void add_cvs_excludes(void); int sparse_end(int f); -int write_file(int f,char *buf,int len); +int write_file(int f,char *buf,size_t len); struct map_struct *map_file(int fd,OFF_T len); char *map_ptr(struct map_struct *map,OFF_T offset,int len); void unmap_file(struct map_struct *map); @@ -61,8 +61,8 @@ void io_set_error_fd(int fd); int32 read_int(int f); int64 read_longint(int f); -void read_buf(int f,char *buf,int len); -void read_sbuf(int f,char *buf,int len); +void read_buf(int f,char *buf,size_t len); +void read_sbuf(int f,char *buf,size_t len); unsigned char read_byte(int f); void io_start_buffering(int fd); void io_flush(void); @@ -70,14 +70,14 @@ void io_shutdown(void); void write_int(int f,int32 x); void write_longint(int f, int64 x); -void write_buf(int f,char *buf,int len); +void write_buf(int f,char *buf,size_t len); void write_byte(int f,unsigned char c); -int read_line(int f, char *buf, int maxlen); +int read_line(int f, char *buf, size_t maxlen); void io_printf(int fd, const char *format, ...); void io_start_multiplex_out(int fd); void io_start_multiplex_in(int fd); -int io_multiplex_write(enum logcode code, char *buf, int len); -int io_error_write(int f, enum logcode code, char *buf, int len); +int io_multiplex_write(enum logcode code, char *buf, size_t len); +int io_error_write(int f, enum logcode code, char *buf, size_t len); void io_multiplexing_close(void); char *lp_motd_file(void); char *lp_log_file(void); Index: rsync/receiver.c diff -u rsync/receiver.c:1.29 rsync/receiver.c:1.29.8.1 --- rsync/receiver.c:1.29 Mon Mar 20 20:06:04 2000 +++ rsync/receiver.c Thu Jan 24 16:56:35 2002 @@ -204,7 +204,8 @@ static int receive_data(int f_in,struct map_struct *buf,int fd,char *fname, OFF_T total_size) { - int i,n,remainder,len,count; + int i; + unsigned int n,remainder,len,count; OFF_T offset = 0; OFF_T offset2; char *data; Index: rsync/rsync.h diff -u rsync/rsync.h:1.94 rsync/rsync.h:1.94.6.1 --- rsync/rsync.h:1.94 Wed Aug 16 01:34:18 2000 +++ rsync/rsync.h Thu Jan 24 16:56:35 2002 @@ -331,9 +331,9 @@ struct sum_struct { OFF_T flength; /* total file length */ - int count; /* how many chunks */ - int remainder; /* flength % block_length */ - int n; /* block_length */ + size_t count; /* how many chunks */ + size_t remainder; /* flength % block_length */ + size_t n; /* block_length */ struct sum_buf *sums; /* points to info for each chunk */ }; Index: rsync/util.c diff -u rsync/util.c:1.86 rsync/util.c:1.86.8.1 --- rsync/util.c:1.86 Tue Sep 5 19:12:13 2000 +++ rsync/util.c Thu Jan 24 16:56:35 2002 @@ -269,7 +269,7 @@ derived from GNU C's cccp.c. */ -static int full_write(int desc, char *ptr, int len) +static int full_write(int desc, char *ptr, size_t len) { int total_written; @@ -295,11 +295,11 @@ for an error. derived from GNU C's cccp.c. */ -static int safe_read(int desc, char *ptr, int len) +static int safe_read(int desc, char *ptr, size_t len) { int n_chars; - if (len <= 0) + if (len == 0) return len; #ifdef EINTR Index: rsync/version.h diff -u rsync/version.h:1.66 rsync/version.h:1.66.8.3 --- rsync/version.h:1.66 Tue Sep 5 19:47:00 2000 +++ rsync/version.h Fri Jan 25 15:33:24 2002 @@ -1 +1 @@ -#define VERSION "2.4.6" +#define VERSION "2.4.8"