fixed a string termination bug in the uidlist handling code. I've also

added a read_sbuf() routine that fixes this kind of bug generically to
avoid similar problems in future.

diff --git a/exclude.c b/exclude.c
index 935c0c5..83c0b39 100644 (file)
--- a/exclude.c
+++ b/exclude.c
@@ -164,9 +164,9 @@ void recv_exclude_list(int f)
   char line[MAXPATHLEN];
   int l;
   while ((l=read_int(f))) {
-    read_buf(f,line,l);
-    line[l] = 0;
-    add_exclude(line);
+         if (l >= MAXPATHLEN) overflow("recv_exclude_list");
+         read_sbuf(f,line,l);
+         add_exclude(line);
   }
 }
 

diff --git a/flist.c b/flist.c
index f6f2c99..3e3b3a6 100644 (file)
--- a/flist.c
+++ b/flist.c
@@ -251,8 +251,10 @@ void receive_file_entry(struct file_struct **fptr,
   bzero((char *)file,sizeof(*file));
   (*fptr) = file;
 
+  if (l2 >= MAXPATHLEN-l1) overflow("receive_file_entry");
+
   strncpy(thisname,lastname,l1);
-  read_buf(f,&thisname[l1],l2);
+  read_sbuf(f,&thisname[l1],l2);
   thisname[l1+l2] = 0;
 
   strncpy(lastname,thisname,MAXPATHLEN-1);
@@ -292,8 +294,7 @@ void receive_file_entry(struct file_struct **fptr,
     int l = read_int(f);
     file->link = (char *)malloc(l+1);
     if (!file->link) out_of_memory("receive_file_entry 2");
-    read_buf(f,file->link,l);
-    file->link[l] = 0;
+    read_sbuf(f,file->link,l);
   }
 
 #if SUPPORT_HARD_LINKS

diff --git a/io.c b/io.c
index a557a9b..1b2fb22 100644 (file)
--- a/io.c
+++ b/io.c
@@ -218,6 +218,12 @@ void read_buf(int f,char *buf,int len)
   total_read += len;
 }
 
+void read_sbuf(int f,char *buf,int len)
+{
+       read_buf(f,buf,len);
+       buf[len] = 0;
+}
+
 unsigned char read_byte(int f)
 {
   unsigned char c;

diff --git a/uidlist.c b/uidlist.c
index 962bb8c..4aa098f 100644 (file)
--- a/uidlist.c
+++ b/uidlist.c
@@ -256,9 +256,9 @@ void recv_uid_list(int f, struct file_list *flist)
                id = read_int(f);
                while (id != 0) {
                        int len = read_byte(f);
-                       name = (char *)malloc(len);
+                       name = (char *)malloc(len+1);
                        if (!name) out_of_memory("recv_uid_list");
-                       read_buf(f, name, len);
+                       read_sbuf(f, name, len);
                        if (!list) {
                                uidlist = add_list(id, name);
                                list = uidlist;
@@ -279,9 +279,9 @@ void recv_uid_list(int f, struct file_list *flist)
                id = read_int(f);
                while (id != 0) {
                        int len = read_byte(f);
-                       name = (char *)malloc(len);
+                       name = (char *)malloc(len+1);
                        if (!name) out_of_memory("recv_uid_list");
-                       read_buf(f, name, len);
+                       read_sbuf(f, name, len);
                        if (!list) {
                                gidlist = add_list(id, name);
                                list = gidlist;

diff --git a/util.c b/util.c
index 4d293f2..013d62a 100644 (file)
--- a/util.c
+++ b/util.c
@@ -162,7 +162,13 @@ int piped_child(char **command,int *f_in,int *f_out)
 
 void out_of_memory(char *str)
 {
-  fprintf(FERROR,"out of memory in %s\n",str);
+  fprintf(FERROR,"ERROR: out of memory in %s\n",str);
+  exit_cleanup(1);
+}
+
+void overflow(char *str)
+{
+  fprintf(FERROR,"ERROR: buffer overflow in %s\n",str);
   exit_cleanup(1);
 }