diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2025-01-19 18:40:22 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2025-01-19 18:40:22 +0000 |
| commit | f3262cc6aeed05b753fce4aa16615758fd788ea7 (patch) | |
| tree | d00a9107f9a05ad12aaffa516ad50ba69b71b5af /debian/patches/Fix_use-after-free_in_generator.patch | |
| parent | Merging upstream version 3.3.0+ds1. (diff) | |
| download | rsync-f3262cc6aeed05b753fce4aa16615758fd788ea7.tar.xz rsync-f3262cc6aeed05b753fce4aa16615758fd788ea7.zip | |
Merging debian version 3.3.0+ds1-4.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/Fix_use-after-free_in_generator.patch')
| -rw-r--r-- | debian/patches/Fix_use-after-free_in_generator.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/debian/patches/Fix_use-after-free_in_generator.patch b/debian/patches/Fix_use-after-free_in_generator.patch new file mode 100644 index 0000000..5d3ccb2 --- /dev/null +++ b/debian/patches/Fix_use-after-free_in_generator.patch @@ -0,0 +1,31 @@ +From f923b19fd85039a2b0e908391074872334646d51 Mon Sep 17 00:00:00 2001 +From: Natanael Copa <ncopa@alpinelinux.org> +Date: Wed, 15 Jan 2025 15:48:04 +0100 +Subject: [PATCH] Fix use-after-free in generator + +full_fname() will free the return value in the next call so we need to +duplicate it before passing it to rsyserr. + +Fixes: https://github.com/RsyncProject/rsync/issues/704 +--- + generator.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/generator.c b/generator.c +index 3f13bb95..b56fa569 100644 +--- a/generator.c ++++ b/generator.c +@@ -2041,8 +2041,12 @@ int atomic_create(struct file_struct *file, char *fname, const char *slnk, const + + if (!skip_atomic) { + if (do_rename(tmpname, fname) < 0) { ++ char *full_tmpname = strdup(full_fname(tmpname)); ++ if (full_tmpname == NULL) ++ out_of_memory("atomic_create"); + rsyserr(FERROR_XFER, errno, "rename %s -> \"%s\" failed", +- full_fname(tmpname), full_fname(fname)); ++ full_tmpname, full_fname(fname)); ++ free(full_tmpname); + do_unlink(tmpname); + return 0; + } |