https://bugzilla.samba.org/show_bug.cgi?id=13112
--- Comment #1 from jeriko....@gmx.us --- This issue can also be reached in 3.1.2, but through a different path as the earlier version doesn't have an xattr filter. I believe the same fix for 3.1.3 would work for 3.1.2 (using read_sbuf) If I should open a separate bug for this please let me know. It requires the daemon to use: fake super = yes so that am_root == -1 the sender needs to send at least 2 xattrs, at least one without the USER_PREFIX, and one that doesn't have a terminating NULL. same issue of name being read in with read_buf, so it's not guaranteed to be NULL terminated. 698 read_buf(f, name, name_len); 705 #ifdef HAVE_LINUX_XATTRS 706 /* Non-root can only save the user namespace. */ 707 if (am_root <= 0 && !HAS_PREFIX(name, USER_PREFIX)) { 708 if (!am_root) { 709 free(ptr); 710 continue; 711 } 712 name -= RPRE_LEN; 713 name_len += RPRE_LEN; 714 memcpy(name, RSYNC_PREFIX, RPRE_LEN); 715 need_sort = 1; 716 } After reading the xattrs it'll sort them if need be. need_sort is set in the previous code snippet. 747 if (need_sort && count > 1) 748 qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names); 116 static int rsync_xal_compare_names(const void *x1, const void *x2) 117 { 118 const rsync_xa *xa1 = x1; 119 const rsync_xa *xa2 = x2; 120 return strcmp(xa1->name, xa2->name); 121 } rsync_xal_compare_names is expecting the names to be NULL terminated, but that isn't guaranteed. ASan output: ================================================================= ==29001==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eaa0 at pc 0x7ffff6eb3185 bp 0x7fffffff99d0 sp 0x7fffffff9178 READ of size 18 at 0x60200000eaa0 thread T0 #0 0x7ffff6eb3184 (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x47184) #1 0x49b7e6 in rsync_xal_compare_names /home/raj/rsync/rsync-3.1.2/xattrs.c:120 #2 0x7ffff64ecc9b (/lib64/libc.so.6+0x34c9b) #3 0x7ffff64ecfe9 in qsort_r (/lib64/libc.so.6+0x34fe9) #4 0x49f443 in receive_xattr /home/raj/rsync/rsync-3.1.2/xattrs.c:748 #5 0x40be5b in recv_file_entry /home/raj/rsync/rsync-3.1.2/flist.c:1126 #6 0x415b95 in recv_file_list /home/raj/rsync/rsync-3.1.2/flist.c:2494 #7 0x45478f in do_server_recv /home/raj/rsync/rsync-3.1.2/main.c:1025 #8 0x454fd9 in start_server /home/raj/rsync/rsync-3.1.2/main.c:1104 #9 0x4ae074 in rsync_module /home/raj/rsync/rsync-3.1.2/clientserver.c:1003 #10 0x4ae68a in start_daemon /home/raj/rsync/rsync-3.1.2/clientserver.c:1094 #11 0x48e271 in start_accept_loop /home/raj/rsync/rsync-3.1.2/socket.c:618 #12 0x4aee41 in daemon_main /home/raj/rsync/rsync-3.1.2/clientserver.c:1196 #13 0x457c02 in main /home/raj/rsync/rsync-3.1.2/main.c:1621 #14 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f) #15 0x404778 in _start (/home/raj/rsync/release_asan/bin/rsync+0x404778) 0x60200000eaa0 is located 0 bytes to the right of 16-byte region [0x60200000ea90,0x60200000eaa0) allocated by thread T0 here: #0 0x7ffff6f04572 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x98572) #1 0x44ddad in _new_array /home/raj/rsync/rsync-3.1.2/util2.c:70 #2 0x49f012 in receive_xattr /home/raj/rsync/rsync-3.1.2/xattrs.c:694 #3 0x40be5b in recv_file_entry /home/raj/rsync/rsync-3.1.2/flist.c:1126 #4 0x415b95 in recv_file_list /home/raj/rsync/rsync-3.1.2/flist.c:2494 #5 0x45478f in do_server_recv /home/raj/rsync/rsync-3.1.2/main.c:1025 #6 0x454fd9 in start_server /home/raj/rsync/rsync-3.1.2/main.c:1104 #7 0x4ae074 in rsync_module /home/raj/rsync/rsync-3.1.2/clientserver.c:1003 #8 0x4ae68a in start_daemon /home/raj/rsync/rsync-3.1.2/clientserver.c:1094 #9 0x48e271 in start_accept_loop /home/raj/rsync/rsync-3.1.2/socket.c:618 #10 0x4aee41 in daemon_main /home/raj/rsync/rsync-3.1.2/clientserver.c:1196 #11 0x457c02 in main /home/raj/rsync/rsync-3.1.2/main.c:1621 #12 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0c047fff9d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00 =>0x0c047fff9d50: fa fa 00 00[fa]fa 04 fa fa fa 00 07 fa fa fd fd 0x0c047fff9d60: fa fa 02 fa fa fa 02 fa fa fa 00 01 fa fa 00 01 0x0c047fff9d70: fa fa 06 fa fa fa fd fd fa fa fd fa fa fa 02 fa 0x0c047fff9d80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9d90: fa fa 02 fa fa fa 03 fa fa fa 00 01 fa fa fd fd 0x0c047fff9da0: fa fa 00 04 fa fa fd fd fa fa fd fd fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==29001==ABORTING -- You are receiving this mail because: You are the QA Contact for the bug. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html