https://bugzilla.samba.org/show_bug.cgi?id=11338
--- Comment #4 from Michal Ruprich <mrupr...@redhat.com> --- Hi, we have encountered similar segfault a couple of years ago. As you can see here in comment #2, the p *in shows that the input buffer's size and len are unreasonably huge - len = 18446744073709532799, size = 18446744073709551615, which leads to an assumption that there was a buffer overflow here. We were never able to create a reliable reproducer for this but after some analysis, we think that the problem is in the rwrite function: #ifdef ICONV_CONST if (ic != (iconv_t)-1) { xbuf outbuf, inbuf; char convbuf[1024]; int ierrno; INIT_CONST_XBUF(outbuf, convbuf); INIT_XBUF(inbuf, (char*)buf, len, (size_t)-1); while (inbuf.len) { iconvbufs(ic, &inbuf, &outbuf, inbuf.pos ? 0 : ICB_INIT); ierrno = errno; if (outbuf.len) { filtered_fwrite(f, convbuf, outbuf.len, 0); outbuf.len = 0; } if (!ierrno || ierrno == E2BIG) continue; fprintf(f, "\\#%03o", CVAL(inbuf.buf, inbuf.pos++)); inbuf.len--; <============== no check for the buffer length } } else #endif The problem is(probably) that the input buffer length is changed in the iconvbufs function. And the rwrite function is dependent on the iconvbufs return values. I know that there have been changes in the iconvbufs code over the years and without a reproducer it is hard to test this but we came up with a patch to make the rsync code in rwite a little bit more robust. Adding the patch. -- You are receiving this mail because: You are the QA Contact for the bug. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html