Bug#889029: rsh-client: rcp: memory leak

Thu, 01 Feb 2018 02:42:55 -0800 

Package: rsh-client
Version: 0.17-17+b1
Severity: normal
Tags: patch

Dear Maintainer,

The way to reproduce is as follows.

hostA$ mkdir /tmp/src300000
hostA$ cd /tmp/src300000
hostA$ seq 100 300000 | xargs touch

hostB terminal-1: monitor memory use - e.g. top command.

hostB terminal-2: execute the rcp command as follows.

hostB$ mkdir /tmp/dest-0123456789abcdefghijklmnopqrstuvwxyz
hostB$ netkit-rcp -r hostA:/tmp/src300000 
/tmp/dest-0123456789abcdefghijklmnopqrstuvwxyz


It will fix with the following patch.

--- netkit-rsh-0.17/rcp/rcp.c
+++ new/rcp/rcp.c
@@ -645,6 +645,8 @@
        int ofd, setimes, targisdir;
        off64_t size;
        char *np, *vect[1], buf[BUFSIZ];
+       char *namebuf = NULL;
+       unsigned cursize = 0, nbase = 0;
 
 #define        atime   tv[0]
 #define        mtime   tv[1]
@@ -666,8 +668,11 @@
                targisdir = 1;
        for (first = 1;; first = 0) {
                cp = buf;
-               if (read(rem, cp, 1) <= 0)
+               if (read(rem, cp, 1) <= 0) {
+                       if (namebuf)
+                               free(namebuf);
                        return;
+               }
                if (*cp++ == '\n')
                        SCREWUP("unexpected <newline>");
                do {
@@ -687,6 +692,8 @@
                }
                if (buf[0] == 'E') {
                        (void)write(rem, "", 1);
+                       if (namebuf)
+                               free(namebuf);
                        return;
                }
 
@@ -741,17 +748,28 @@
                if (*cp++ != ' ')
                        SCREWUP("size not delimited");
                if (targisdir) {
-                       static char *namebuf;
-                       static int cursize;
-                       int need;
-
-                       need = strlen(targ) + strlen(cp) + 250;
+                       char *newbuf;
+                       int need = strlen(targ) + strlen(cp) + 2;
                        if (need > cursize) {
-                               if (!(namebuf = malloc(need)))
+                               need += 64;
+                               if (!(newbuf = malloc(need))) {
                                        error("out of memory\n");
+                                       exit(1);
+                               }
+                               if (namebuf) {
+                                       memcpy(newbuf, namebuf, nbase);
+                                       newbuf[nbase] = '\0';
+                                       free(namebuf);
+                               } else {
+                                       strcpy(newbuf, targ);
+                                       if (*newbuf)
+                                               strcat(newbuf, "/");
+                                       nbase = strlen(newbuf);
+                               }
+                               namebuf = newbuf;
+                               cursize = need;
                        }
-                       (void)snprintf(namebuf, need, "%s%s%s", targ,
-                           *targ ? "/" : "", cp);
+                       strcpy(namebuf + nbase, cp);
                        np = namebuf;
                }
                else

Thank you,
Hiroyuki YAMAMORI


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
(charmap=UTF-8)

Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages rsh-client depends on:
ii  libc6  2.26-6

rsh-client recommends no packages.

rsh-client suggests no packages.

-- no debconf information

Reply via email to