From: Andrew Tridgell <tridge@samba.org>
Date: Wed, 1 Apr 1998 05:20:19 +0000 (+0000)
Subject: fixed a string termination bug in the uidlist handling code. I've also
X-Git-Url: https://mattmccutchen.net/rsync/rsync.git/commitdiff_plain/575f2fca9ab74cb30cca67323a414d7b0cdd0845

fixed a string termination bug in the uidlist handling code. I've also
added a read_sbuf() routine that fixes this kind of bug generically to
avoid similar problems in future.
---

diff --git a/exclude.c b/exclude.c
index 935c0c56..83c0b39b 100644
--- a/exclude.c
+++ b/exclude.c
@@ -164,9 +164,9 @@ void recv_exclude_list(int f)
   char line[MAXPATHLEN];
   int l;
   while ((l=read_int(f))) {
-    read_buf(f,line,l);
-    line[l] = 0;
-    add_exclude(line);
+	  if (l >= MAXPATHLEN) overflow("recv_exclude_list");
+	  read_sbuf(f,line,l);
+	  add_exclude(line);
   }
 }
 
diff --git a/flist.c b/flist.c
index f6f2c99f..3e3b3a68 100644
--- a/flist.c
+++ b/flist.c
@@ -251,8 +251,10 @@ void receive_file_entry(struct file_struct **fptr,
   bzero((char *)file,sizeof(*file));
   (*fptr) = file;
 
+  if (l2 >= MAXPATHLEN-l1) overflow("receive_file_entry");
+
   strncpy(thisname,lastname,l1);
-  read_buf(f,&thisname[l1],l2);
+  read_sbuf(f,&thisname[l1],l2);
   thisname[l1+l2] = 0;
 
   strncpy(lastname,thisname,MAXPATHLEN-1);
@@ -292,8 +294,7 @@ void receive_file_entry(struct file_struct **fptr,
     int l = read_int(f);
     file->link = (char *)malloc(l+1);
     if (!file->link) out_of_memory("receive_file_entry 2");
-    read_buf(f,file->link,l);
-    file->link[l] = 0;
+    read_sbuf(f,file->link,l);
   }
 
 #if SUPPORT_HARD_LINKS
diff --git a/io.c b/io.c
index a557a9b8..1b2fb221 100644
--- a/io.c
+++ b/io.c
@@ -218,6 +218,12 @@ void read_buf(int f,char *buf,int len)
   total_read += len;
 }
 
+void read_sbuf(int f,char *buf,int len)
+{
+	read_buf(f,buf,len);
+	buf[len] = 0;
+}
+
 unsigned char read_byte(int f)
 {
   unsigned char c;
diff --git a/uidlist.c b/uidlist.c
index 962bb8c8..4aa098f8 100644
--- a/uidlist.c
+++ b/uidlist.c
@@ -256,9 +256,9 @@ void recv_uid_list(int f, struct file_list *flist)
 		id = read_int(f);
 		while (id != 0) {
 			int len = read_byte(f);
-			name = (char *)malloc(len);
+			name = (char *)malloc(len+1);
 			if (!name) out_of_memory("recv_uid_list");
-			read_buf(f, name, len);
+			read_sbuf(f, name, len);
 			if (!list) {
 				uidlist = add_list(id, name);
 				list = uidlist;
@@ -279,9 +279,9 @@ void recv_uid_list(int f, struct file_list *flist)
 		id = read_int(f);
 		while (id != 0) {
 			int len = read_byte(f);
-			name = (char *)malloc(len);
+			name = (char *)malloc(len+1);
 			if (!name) out_of_memory("recv_uid_list");
-			read_buf(f, name, len);
+			read_sbuf(f, name, len);
 			if (!list) {
 				gidlist = add_list(id, name);
 				list = gidlist;
diff --git a/util.c b/util.c
index 4d293f22..013d62ad 100644
--- a/util.c
+++ b/util.c
@@ -162,7 +162,13 @@ int piped_child(char **command,int *f_in,int *f_out)
 
 void out_of_memory(char *str)
 {
-  fprintf(FERROR,"out of memory in %s\n",str);
+  fprintf(FERROR,"ERROR: out of memory in %s\n",str);
+  exit_cleanup(1);
+}
+
+void overflow(char *str)
+{
+  fprintf(FERROR,"ERROR: buffer overflow in %s\n",str);
   exit_cleanup(1);
 }