From 58cadc8608fbb2cbc7b74578cd92de4337a4b887 Mon Sep 17 00:00:00 2001 From: Wayne Davison Date: Sat, 6 Dec 2003 21:07:27 +0000 Subject: [PATCH] Merged in the security fixes from 2.5.7. --- NEWS | 14 ++++++++++++-- batch.c | 21 ++++++++------------- checksum.c | 2 +- configure.in | 2 +- exclude.c | 8 ++++---- fileio.c | 4 ++-- flist.c | 38 +++++++++++++++++++------------------- hlink.c | 4 +--- io.c | 2 +- loadparm.c | 4 ++-- log.c | 4 ++-- match.c | 4 ++-- options.c | 2 +- packaging/lsb/rsync.spec | 4 ++-- params.c | 8 ++++---- receiver.c | 3 ++- rsync.c | 2 +- rsync.h | 4 ++++ sender.c | 4 ++-- token.c | 8 ++++---- uidlist.c | 6 +++--- util.c | 27 ++++++++++++++++++++------- 22 files changed, 98 insertions(+), 77 deletions(-) diff --git a/NEWS b/NEWS index 6d78a518..f7d1d103 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,6 @@ -NEWS for rsync version 2.5.7 +NEWS for rsync version 2.5.8 Protocol: 27 (changed) -Changes since version 2.5.6: +Changes since version 2.5.7: ENHANCEMENTS: @@ -113,6 +113,16 @@ Changes since version 2.5.6: (Wayne Davison) +NEWS for rsync version 2.5.7: +Protocol: 26 (unchanged) +Changes since version 2.5.6: + + SECURITY: + + * Fix buffer handling bugs. (Andrew Tridgell, Martin Pool, Paul + Russell, Andrea Barisani) + + NEWS for rsync version 2.5.6, aka the dwd-between-jobs release Protocol: 26 (unchanged) Changes since version 2.5.5: diff --git a/batch.c b/batch.c index d3f65233..d503373d 100644 --- a/batch.c +++ b/batch.c @@ -185,15 +185,14 @@ struct file_list *create_flist_from_batch(void) fdb_open = 1; fdb_close = 0; - batch_flist = (struct file_list *) malloc(sizeof(batch_flist[0])); + batch_flist = new(struct file_list); if (!batch_flist) { out_of_memory("create_flist_from_batch"); } batch_flist->count = 0; batch_flist->malloced = 1000; - batch_flist->files = - (struct file_struct **) malloc(sizeof(batch_flist->files[0]) * - batch_flist->malloced); + batch_flist->files = new_array(struct file_struct *, + batch_flist->malloced); if (!batch_flist->files) { out_of_memory("create_flist_from_batch"); } @@ -207,14 +206,10 @@ struct file_list *create_flist_from_batch(void) batch_flist->malloced += 1000; else batch_flist->malloced *= 2; - batch_flist->files = - (struct file_struct **) realloc(batch_flist-> - files, - sizeof - (batch_flist-> - files[0]) * - batch_flist-> - malloced); + batch_flist->files + = realloc_array(batch_flist->files, + struct file_struct *, + batch_flist->malloced); if (!batch_flist->files) out_of_memory("create_flist_from_batch"); } @@ -282,7 +277,7 @@ void read_batch_flist_info(struct file_struct **fptr) char buff[256]; struct file_struct *file; - file = (struct file_struct *) malloc(sizeof(*file)); + file = new(struct file_struct); if (!file) out_of_memory("read_batch_flist_info"); memset((char *) file, 0, sizeof(*file)); diff --git a/checksum.c b/checksum.c index 57dac48e..3acd9708 100644 --- a/checksum.c +++ b/checksum.c @@ -58,7 +58,7 @@ void get_checksum2(char *buf,int len,char *sum) if (len > len1) { if (buf1) free(buf1); - buf1 = (char *)malloc(len+4); + buf1 = new_array(char, len+4); len1 = len; if (!buf1) out_of_memory("get_checksum2"); } diff --git a/configure.in b/configure.in index 68dac5a0..ff4bf748 100644 --- a/configure.in +++ b/configure.in @@ -5,7 +5,7 @@ AC_CONFIG_SRCDIR([byteorder.h]) AC_CONFIG_HEADER(config.h) AC_PREREQ(2.52) -RSYNC_VERSION=2.5.6 +RSYNC_VERSION=2.5.7 AC_SUBST(RSYNC_VERSION) AC_MSG_NOTICE([Configuring rsync $RSYNC_VERSION]) diff --git a/exclude.c b/exclude.c index 1bb042b3..a459f295 100644 --- a/exclude.c +++ b/exclude.c @@ -40,7 +40,7 @@ static struct exclude_struct *make_exclude(const char *pattern, int include) char *cp; int pat_len; - ret = (struct exclude_struct *)malloc(sizeof(*ret)); + ret = new(struct exclude_struct); if (!ret) out_of_memory("make_exclude"); memset(ret, 0, sizeof(*ret)); @@ -57,8 +57,8 @@ static struct exclude_struct *make_exclude(const char *pattern, int include) if (exclude_path_prefix) ret->match_flags |= MATCHFLG_ABS_PATH; if (exclude_path_prefix && *pattern == '/') { - ret->pattern = malloc(strlen(exclude_path_prefix) - + strlen(pattern) + 1); + ret->pattern = new_array(char, + strlen(exclude_path_prefix) + strlen(pattern) + 1); if (!ret->pattern) out_of_memory("make_exclude"); sprintf(ret->pattern, "%s%s", exclude_path_prefix, pattern); } @@ -245,7 +245,7 @@ void add_exclude(struct exclude_struct ***listp, const char *pattern, int includ if (list) for (; list[len]; len++) {} - list = *listp = (struct exclude_struct **)Realloc(list,sizeof(struct exclude_struct *)*(len+2)); + list = *listp = realloc_array(list, struct exclude_struct *, len+2); if (!list || !(list[len] = make_exclude(pattern, include))) out_of_memory("add_exclude"); diff --git a/fileio.c b/fileio.c index 088ed639..32480f74 100644 --- a/fileio.c +++ b/fileio.c @@ -105,7 +105,7 @@ int write_file(int f,char *buf,size_t len) struct map_struct *map_file(int fd,OFF_T len) { struct map_struct *map; - map = (struct map_struct *)malloc(sizeof(*map)); + map = new(struct map_struct); if (!map) out_of_memory("map_file"); map->fd = fd; @@ -160,7 +160,7 @@ char *map_ptr(struct map_struct *map,OFF_T offset,int len) /* make sure we have allocated enough memory for the window */ if (window_size > map->p_size) { - map->p = (char *)Realloc(map->p, window_size); + map->p = realloc_array(map->p, char, window_size); if (!map->p) out_of_memory("map_ptr"); map->p_size = window_size; } diff --git a/flist.c b/flist.c index 8bc3ab37..6cdc050d 100644 --- a/flist.c +++ b/flist.c @@ -123,10 +123,10 @@ static struct string_area *string_area_new(int size) if (size <= 0) size = ARENA_SIZE; - a = malloc(sizeof(*a)); + a = new(struct string_area); if (!a) out_of_memory("string_area_new"); - a->current = a->base = malloc(size); + a->current = a->base = new_array(char, size); if (!a->current) out_of_memory("string_area_new buffer"); a->end = a->base + size; @@ -327,7 +327,6 @@ static char *flist_dir; static void flist_expand(struct file_list *flist) { if (flist->count >= flist->malloced) { - size_t new_bytes; void *new_ptr; if (flist->malloced < 1000) @@ -335,16 +334,19 @@ static void flist_expand(struct file_list *flist) else flist->malloced *= 2; - new_bytes = sizeof(flist->files[0]) * flist->malloced; - - if (flist->files) - new_ptr = realloc(flist->files, new_bytes); - else - new_ptr = malloc(new_bytes); + if (flist->files) { + new_ptr = realloc_array(flist->files, + struct file_struct *, + flist->malloced); + } else { + new_ptr = new_array(struct file_struct *, + flist->malloced); + } if (verbose >= 2) { rprintf(FINFO, "expand file_list to %.0f bytes, did%s move\n", - (double) new_bytes, + (double)sizeof(flist->files[0]) + * flist->malloced, (new_ptr == flist->files) ? " not" : ""); } @@ -502,7 +504,7 @@ static void receive_file_entry(struct file_struct **fptr, else l2 = read_byte(f); - file = (struct file_struct *) malloc(sizeof(*file)); + file = new(struct file_struct); if (!file) out_of_memory("receive_file_entry"); memset((char *) file, 0, sizeof(*file)); @@ -569,7 +571,7 @@ static void receive_file_entry(struct file_struct **fptr, rprintf(FERROR, "overflow: l=%d\n", l); overflow("receive_file_entry"); } - file->link = (char *) malloc(l + 1); + file->link = new_array(char, l + 1); if (!file->link) out_of_memory("receive_file_entry 2"); read_sbuf(f, file->link, l); @@ -590,7 +592,7 @@ static void receive_file_entry(struct file_struct **fptr, #endif if (always_checksum) { - file->sum = (char *) malloc(MD4_SUM_LENGTH); + file->sum = new_array(char, MD4_SUM_LENGTH); if (!file->sum) out_of_memory("md4 sum"); if (protocol_version < 21) { @@ -723,7 +725,7 @@ struct file_struct *make_file(char *fname, struct string_area **ap, if (verbose > 2) rprintf(FINFO, "make_file(%s,*,%d)\n", fname, exclude_level); - file = (struct file_struct *) malloc(sizeof(*file)); + file = new(struct file_struct); if (!file) out_of_memory("make_file"); memset((char *) file, 0, sizeof(*file)); @@ -1101,15 +1103,13 @@ struct file_list *recv_file_list(int f) start_read = stats.total_read; - flist = (struct file_list *) malloc(sizeof(flist[0])); + flist = new(struct file_list); if (!flist) goto oom; flist->count = 0; flist->malloced = 1000; - flist->files = - (struct file_struct **) malloc(sizeof(flist->files[0]) * - flist->malloced); + flist->files = new_array(struct file_struct *, flist->malloced); if (!flist->files) goto oom; @@ -1251,7 +1251,7 @@ struct file_list *flist_new(void) { struct file_list *flist; - flist = (struct file_list *) malloc(sizeof(flist[0])); + flist = new(struct file_list); if (!flist) out_of_memory("send_file_list"); diff --git a/hlink.c b/hlink.c index a38a65bd..3826ce52 100644 --- a/hlink.c +++ b/hlink.c @@ -57,9 +57,7 @@ void init_hard_links(struct file_list *flist) if (hlink_list) free(hlink_list); - if (!(hlink_list = - (struct file_struct *) malloc(sizeof(hlink_list[0]) * - flist->count))) + if (!(hlink_list = new_array(struct file_struct, flist->count))) out_of_memory("init_hard_links"); for (i = 0; i < flist->count; i++) diff --git a/io.c b/io.c index 36d5f1b2..9fc37152 100644 --- a/io.c +++ b/io.c @@ -688,7 +688,7 @@ void io_start_buffering(int fd) { if (io_buffer) return; multiplex_out_fd = fd; - io_buffer = (char *)malloc(IO_BUFFER_SIZE); + io_buffer = new_array(char, IO_BUFFER_SIZE); if (!io_buffer) out_of_memory("writefd"); io_buffer_count = 0; } diff --git a/loadparm.c b/loadparm.c index 9dc80e70..d9ce1577 100644 --- a/loadparm.c +++ b/loadparm.c @@ -441,10 +441,10 @@ static int add_a_service(service *pservice, char *name) i = iNumServices; - ServicePtrs = (service **)Realloc(ServicePtrs,sizeof(service *)*num_to_alloc); + ServicePtrs = realloc_array(ServicePtrs, service *, num_to_alloc); if (ServicePtrs) - pSERVICE(iNumServices) = (service *)malloc(sizeof(service)); + pSERVICE(iNumServices) = new(service); if (!ServicePtrs || !pSERVICE(iNumServices)) return(-1); diff --git a/log.c b/log.c index 34ff6d3d..d440a16f 100644 --- a/log.c +++ b/log.c @@ -90,10 +90,10 @@ static struct err_list *err_list_tail; static void err_list_add(int code, char *buf, int len) { struct err_list *el; - el = (struct err_list *)malloc(sizeof(*el)); + el = new(struct err_list); if (!el) exit_cleanup(RERR_MALLOC); el->next = NULL; - el->buf = malloc(len+4); + el->buf = new_array(char, len+4); if (!el->buf) exit_cleanup(RERR_MALLOC); memcpy(el->buf+4, buf, len); SIVAL(el->buf, 0, ((code+MPLEX_BASE)<<24) | len); diff --git a/match.c b/match.c index 926aad61..ba569785 100644 --- a/match.c +++ b/match.c @@ -62,9 +62,9 @@ static void build_hash_table(struct sum_struct *s) int i; if (!tag_table) - tag_table = (int *)malloc(sizeof(tag_table[0])*TABLESIZE); + tag_table = new_array(int, TABLESIZE); - targets = (struct target *)malloc(sizeof(targets[0])*s->count); + targets = new_array(struct target, s->count); if (!tag_table || !targets) out_of_memory("build_hash_table"); diff --git a/options.c b/options.c index d329f35a..b8c9f3da 100644 --- a/options.c +++ b/options.c @@ -825,7 +825,7 @@ void server_options(char **args,int *argc) /* Only send --suffix if it specifies a non-default value. */ if (strcmp(backup_suffix, backup_dir? "" : BACKUP_SUFFIX) != 0) { - char *s = malloc(9+backup_suffix_len+1); + char *s = new_array(char, 9+backup_suffix_len+1); if (!s) out_of_memory("server_options"); /* We use the following syntax to avoid weirdness with '~'. */ diff --git a/packaging/lsb/rsync.spec b/packaging/lsb/rsync.spec index 716444bd..1e61acab 100644 --- a/packaging/lsb/rsync.spec +++ b/packaging/lsb/rsync.spec @@ -1,10 +1,10 @@ Summary: Program for efficient remote updates of files. Name: rsync -Version: 2.5.6 +Version: 2.5.7 Release: 1 Copyright: GPL Group: Applications/Networking -Source: ftp://samba.anu.edu.au/pub/rsync/rsync-2.5.6.tar.gz +Source: ftp://samba.anu.edu.au/pub/rsync/rsync-2.5.7.tar.gz URL: http://samba.anu.edu.au/rsync/ Packager: Andrew Tridgell BuildRoot: /tmp/rsync diff --git a/params.c b/params.c index 81638118..56a2a914 100644 --- a/params.c +++ b/params.c @@ -207,7 +207,7 @@ static BOOL Section( FILE *InFile, BOOL (*sfunc)(char *) ) if( i > (bSize - 2) ) { bSize += BUFR_INC; - bufr = Realloc( bufr, bSize ); + bufr = realloc_array( bufr, char, bSize ); if( NULL == bufr ) { rprintf(FERROR, "%s Memory re-allocation failure.", func); @@ -301,7 +301,7 @@ static BOOL Parameter( FILE *InFile, BOOL (*pfunc)(char *, char *), int c ) if( i > (bSize - 2) ) /* Ensure there's space for next char. */ { bSize += BUFR_INC; - bufr = Realloc( bufr, bSize ); + bufr = realloc_array( bufr, char, bSize ); if( NULL == bufr ) { rprintf(FERROR, "%s Memory re-allocation failure.", func) ; @@ -366,7 +366,7 @@ static BOOL Parameter( FILE *InFile, BOOL (*pfunc)(char *, char *), int c ) if( i > (bSize - 2) ) /* Make sure there's enough room. */ { bSize += BUFR_INC; - bufr = Realloc( bufr, bSize ); + bufr = realloc_array( bufr, char, bSize ); if( NULL == bufr ) { rprintf(FERROR, "%s Memory re-allocation failure.", func) ; @@ -530,7 +530,7 @@ BOOL pm_process( char *FileName, else /* If we don't have a buffer */ { /* allocate one, then parse, */ bSize = BUFR_INC; /* then free. */ - bufr = (char *)malloc( bSize ); + bufr = new_array( char, bSize ); if( NULL == bufr ) { rprintf(FERROR,"%s memory allocation failure.\n", func); diff --git a/receiver.c b/receiver.c index 13a62948..18b0795a 100644 --- a/receiver.c +++ b/receiver.c @@ -70,7 +70,8 @@ static void add_delete_entry(struct file_struct *file) { if (dlist_len == dlist_alloc_len) { dlist_alloc_len += 1024; - delete_list = (struct delete_list *)Realloc(delete_list, sizeof(delete_list[0])*dlist_alloc_len); + delete_list = realloc_array(delete_list, struct delete_list, + dlist_alloc_len); if (!delete_list) out_of_memory("add_delete_entry"); } diff --git a/rsync.c b/rsync.c index 36d7b8b1..cfee2d03 100644 --- a/rsync.c +++ b/rsync.c @@ -133,7 +133,7 @@ static int is_in_group(gid_t gid) /* treat failure (-1) as if not member of any group */ ngroups = getgroups(0, 0); if (ngroups > 0) { - gidset = (GETGROUPS_T *) malloc(ngroups * sizeof(GETGROUPS_T)); + gidset = new_array(GETGROUPS_T, ngroups); ngroups = getgroups(ngroups, gidset); } } diff --git a/rsync.h b/rsync.h index 21a19884..3a39f15e 100644 --- a/rsync.h +++ b/rsync.h @@ -626,6 +626,10 @@ extern int errno; #endif +/* Convenient wrappers for malloc and realloc. Use them. */ +#define new(type) ((type *)malloc(sizeof(type))) +#define new_array(type, num) ((type *)_new_array(sizeof(type), (num))) +#define realloc_array(ptr, type, num) ((type *)_realloc_array((ptr), sizeof(type), (num))) /* use magic gcc attributes to catch format errors */ void rprintf(enum logcode , const char *, ...) diff --git a/sender.c b/sender.c index 3d390526..a9c31bba 100644 --- a/sender.c +++ b/sender.c @@ -58,7 +58,7 @@ static struct sum_struct *receive_sums(int f) int i; OFF_T offset = 0; - s = (struct sum_struct *)malloc(sizeof(*s)); + s = new(struct sum_struct); if (!s) out_of_memory("receive_sums"); read_sum_head(f, s); @@ -73,7 +73,7 @@ static struct sum_struct *receive_sums(int f) if (s->count == 0) return(s); - s->sums = (struct sum_buf *)malloc(sizeof(s->sums[0])*s->count); + s->sums = new_array(struct sum_buf, s->count); if (!s->sums) out_of_memory("receive_sums"); for (i = 0; i < (int) s->count; i++) { diff --git a/token.c b/token.c index 8f498f1f..835c4785 100644 --- a/token.c +++ b/token.c @@ -68,7 +68,7 @@ static int simple_recv_token(int f,char **data) int n; if (!buf) { - buf = (char *)malloc(CHUNK_SIZE); + buf = new_array(char, CHUNK_SIZE); if (!buf) out_of_memory("simple_recv_token"); } @@ -174,7 +174,7 @@ send_deflated_token(int f, int token, rprintf(FERROR, "compression init failed\n"); exit_cleanup(RERR_STREAMIO); } - if ((obuf = malloc(OBUF_SIZE)) == NULL) + if ((obuf = new_array(char, OBUF_SIZE)) == NULL) out_of_memory("send_deflated_token"); init_done = 1; } else @@ -336,8 +336,8 @@ recv_deflated_token(int f, char **data) rprintf(FERROR, "inflate init failed\n"); exit_cleanup(RERR_STREAMIO); } - if ((cbuf = malloc(MAX_DATA_COUNT)) == NULL - || (dbuf = malloc(AVAIL_OUT_SIZE(CHUNK_SIZE))) == NULL) + if (!(cbuf = new_array(char, MAX_DATA_COUNT)) + || !(dbuf = new_array(char, AVAIL_OUT_SIZE(CHUNK_SIZE)))) out_of_memory("recv_deflated_token"); init_done = 1; } else { diff --git a/uidlist.c b/uidlist.c index 14611a55..d8a7af11 100644 --- a/uidlist.c +++ b/uidlist.c @@ -41,7 +41,7 @@ static struct idlist *gidlist; static struct idlist *add_list(int id, char *name) { - struct idlist *list = (struct idlist *)malloc(sizeof(list[0])); + struct idlist *list = new(struct idlist); if (!list) out_of_memory("add_list"); list->next = NULL; list->name = strdup(name); @@ -241,7 +241,7 @@ void recv_uid_list(int f, struct file_list *flist) id = read_int(f); while (id != 0) { int len = read_byte(f); - name = (char *)malloc(len+1); + name = new_array(char, len+1); if (!name) out_of_memory("recv_uid_list"); read_sbuf(f, name, len); if (!list) { @@ -264,7 +264,7 @@ void recv_uid_list(int f, struct file_list *flist) id = read_int(f); while (id != 0) { int len = read_byte(f); - name = (char *)malloc(len+1); + name = new_array(char, len+1); if (!name) out_of_memory("recv_uid_list"); read_sbuf(f, name, len); if (!list) { diff --git a/util.c b/util.c index e6420646..4ba6caa9 100644 --- a/util.c +++ b/util.c @@ -559,13 +559,6 @@ void strlower(char *s) } } -void *Realloc(void *p, int size) -{ - if (!p) return (void *)malloc(size); - return (void *)realloc(p, size); -} - - void clean_fname(char *name) { char *p; @@ -1008,3 +1001,23 @@ int _Insure_trap_error(int a1, int a2, int a3, int a4, int a5, int a6) return ret; } #endif + + +#define MALLOC_MAX 0x40000000 + +void *_new_array(unsigned int size, unsigned long num) +{ + if (num >= MALLOC_MAX/size) + return NULL; + return malloc(size * num); +} + +void *_realloc_array(void *ptr, unsigned int size, unsigned long num) +{ + if (num >= MALLOC_MAX/size) + return NULL; + /* No realloc should need this, but just in case... */ + if (!ptr) + return malloc(size * num); + return realloc(ptr, size * num); +} -- 2.34.1