Hey, attached is a patch fixing some flaws (invalid write and fd exhaustion) in handling the --exclude-tag* options. The original bug report, including reproducers, traces, and the like, is available at https://bugzilla.redhat.com/570591
Thanks in advance for considering the patch! Kamil
From 86f43f08ec5ebb384e17d815d3f2764227129e5c Mon Sep 17 00:00:00 2001 From: Kamil Dudka <[email protected]> Date: Mon, 8 Mar 2010 10:51:59 +0100 Subject: [PATCH] Fix bugs in handling the --exclude-tag* options. originally reported at https://bugzilla.redhat.com/570591 * src/create.c (check_exclusion_tags): Recompute the 'ntpr' pointer to prevent invalid write when the call of xrealloc () has invalidated its value. (dump_file0): Close the descriptor when a directory is excluded. --- src/create.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/src/create.c b/src/create.c index 209e428..c4e33c0 100644 --- a/src/create.c +++ b/src/create.c @@ -97,6 +97,12 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name) if (addslash) *nptr++ = '/'; } + + if (size == tagsize) + /* the xrealloc above may invalidate nptr + https://bugzilla.redhat.com/570591 */ + nptr = tagname + dlen + addslash; + strcpy (nptr, tag->name); if (access (tagname, F_OK) == 0 && (!tag->predicate || tag->predicate (tagname))) @@ -1591,6 +1597,8 @@ dump_file0 (struct tar_stat_info *st, const char *p, { exclusion_tag_warning (st->orig_file_name, tag_file_name, _("directory not dumped")); + if (0 <= fd) + close (fd); return; } -- 1.6.6.1
