sender.c:receive_sums()
s->count = read_int(f);
..
s->sums = (struct sum_buf *)malloc(sizeof(s->sums[0])*s->count);
if (!s->sums) out_of_memory("receive_sums"); for (i=0; i < (int) s->count;i++) {
s->sums[i].sum1 = read_int(f);
read_buf(f,s->sums[i].sum2,csum_length);
..If I read this right, given high enough s->count makes the malloc() parameter wraps around to a few bytes while still reading data past it.
Exploiting is probably pretty difficult if at all possible. There would have to be some interesting data after the returned pointer. I didn't check if there is. Anyway, exit_cleanup() leads to at least a few free() calls which could make it exploitable.
I think there's also some potential problems with 64bit systems. There's a few arrays that assume it's size will fit into int. Normally you'd get out of memory before getting that high, but in 64bit systems with enough memory you won't. Of course this also requires sending gigabytes of data, but internet is fast nowadays.
-- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
