Wednesday, August 15, 2007

CVE-2007-4091






It still pays to have a look at open source projects.
rsync 2.6.9 contains two off by one stack overflows, one from which the target buffer is next to the
saved frame pointer.
The problematic function is f_name().
Obviously it expects a target buffer size
of MAXPATHLEN bytes. Otherwise
the size parameter calculation to
strlcpy() is wrong.
Lets have a look at f_name() calls within the two following pictures.
An offset is added to the fname buffer
which is of size MAXPATHLEN.
The offset is the stringlen of dir.root
plus one (due to the slash).
Within successfull_send(), the buffer
should be neighbor of the saved
frame pointer since MAXPATHLEN
does not need to be aligned.
Thus the assumption within the f_name() function about its target buffer size
is wrong.
However there is a check in make_file()
that looks whether any received
dir and pathnames would overrun
MAXPATHLEN bytes. flist_dir_len is exactly what becomes strlen of dir.root later. However, the trailing slash is missing! :-) Happy PoCing!!!
Updated rsync-packages for SUSE are already available via the online updater.
A fix is also available.