Fix for CVE-2014-9512 from upstream at https://rsync.samba.org
--- rsync-3.1.1/flist.c.old 2015-09-04 14:58:04.610748249 -0700
+++ rsync-3.1.1/flist.c 2015-09-04 15:02:22.838695225 -0700
@@ -2435,8 +2435,9 @@
return flist;
}
-struct file_list *recv_file_list(int f)
+struct file_list *recv_file_list(int f, int dir_ndx)
{
+ const char *good_dirname = NULL;
struct file_list *flist;
int dstart, flags;
int64 start_read;
@@ -2491,6 +2492,23 @@
flist_expand(flist, 1);
file = recv_file_entry(f, flist, flags);
+ if (inc_recurse) {
+ static const char empty_dir[] = "\0";
+ const char *cur_dir = file->dirname ? file->dirname : empty_dir;
+ if (relative_paths && *cur_dir == '/')
+ cur_dir++;
+ if (cur_dir != good_dirname) {
+ const char *d = dir_ndx >= 0 ? f_name(dir_flist->files[dir_ndx], NULL) : empty_dir;
+ if (strcmp(cur_dir, d) != 0) {
+ rprintf(FERROR,
+ "ABORTING due to invalid dir prefix from sender: %s (should be: %s)\n",
+ cur_dir, d);
+ exit_cleanup(RERR_PROTOCOL);
+ }
+ good_dirname = cur_dir;
+ }
+ }
+
if (S_ISREG(file->mode)) {
/* Already counted */
@@ -2615,7 +2633,7 @@
rprintf(FINFO, "[%s] receiving flist for dir %d\n",
who_am_i(), ndx);
}
- flist = recv_file_list(f);
+ flist = recv_file_list(f, ndx);
flist->parent_ndx = ndx;
}
}
--- rsync-3.1.1/io.c.old 2015-09-04 14:58:15.706192874 -0700
+++ rsync-3.1.1/io.c 2015-09-04 15:05:23.471180002 -0700
@@ -1685,7 +1685,7 @@
rprintf(FINFO, "[%s] receiving flist for dir %d\n",
who_am_i(), ndx);
}
- flist = recv_file_list(iobuf.in_fd);
+ flist = recv_file_list(iobuf.in_fd, ndx);
flist->parent_ndx = ndx;
#ifdef SUPPORT_HARD_LINKS
if (preserve_hard_links)
--- rsync-3.1.1/main.c.old 2015-09-04 14:58:24.905761717 -0700
+++ rsync-3.1.1/main.c 2015-09-04 15:07:00.835145092 -0700
@@ -1010,7 +1010,7 @@
filesfrom_fd = -1;
}
- flist = recv_file_list(f_in);
+ flist = recv_file_list(f_in, -1);
if (!flist) {
rprintf(FERROR,"server_recv: recv_file_list error\n");
exit_cleanup(RERR_FILESELECT);
@@ -1184,7 +1184,7 @@
if (write_batch && !am_server)
start_write_batch(f_in);
- flist = recv_file_list(f_in);
+ flist = recv_file_list(f_in, -1);
if (inc_recurse && file_total == 1)
recv_additional_file_list(f_in);
--- rsync-3.1.1/rsync.c.old 2015-09-04 14:58:51.928552530 -0700
+++ rsync-3.1.1/rsync.c 2015-09-04 15:07:59.696578389 -0700
@@ -364,7 +364,7 @@
}
/* Send all the data we read for this flist to the generator. */
start_flist_forward(ndx);
- flist = recv_file_list(f_in);
+ flist = recv_file_list(f_in, ndx);
flist->parent_ndx = ndx;
stop_flist_forward();
}
--- rsync-3.1.1/proto.h.old 2015-09-04 17:46:09.133140046 -0700
+++ rsync-3.1.1/proto.h 2015-09-04 17:45:12.510951663 -0700
@@ -89,7 +89,7 @@
void unmake_file(struct file_struct *file);
void send_extra_file_list(int f, int at_least);
struct file_list *send_file_list(int f, int argc, char *argv[]);
-struct file_list *recv_file_list(int f);
+struct file_list *recv_file_list(int f, int dir_ndx);
void recv_additional_file_list(int f);
int flist_find(struct file_list *flist, struct file_struct *f);
int flist_find_ignore_dirness(struct file_list *flist, struct file_struct *f);