3c55673deb
Resolves: RHEL-70209 - --safe-links option bypass leads to path traversal Resolves: RHEL-72502 - Race Condition in rsync Handling Symbolic Links Resolves: RHEL-70157 - Info Leak via Uninitialized Stack Contents
37 lines
1.1 KiB
Diff
37 lines
1.1 KiB
Diff
diff --git a/flist.c b/flist.c
|
|
index 464d556..087f9da 100644
|
|
--- a/flist.c
|
|
+++ b/flist.c
|
|
@@ -2584,6 +2584,19 @@ struct file_list *recv_file_list(int f, int dir_ndx)
|
|
init_hard_links();
|
|
#endif
|
|
|
|
+ if (inc_recurse && dir_ndx >= 0) {
|
|
+ if (dir_ndx >= dir_flist->used) {
|
|
+ rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used);
|
|
+ exit_cleanup(RERR_PROTOCOL);
|
|
+ }
|
|
+ struct file_struct *file = dir_flist->files[dir_ndx];
|
|
+ if (file->flags & FLAG_GOT_DIR_FLIST) {
|
|
+ rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
|
|
+ exit_cleanup(RERR_PROTOCOL);
|
|
+ }
|
|
+ file->flags |= FLAG_GOT_DIR_FLIST;
|
|
+ }
|
|
+
|
|
flist = flist_new(0, "recv_file_list");
|
|
|
|
if (inc_recurse) {
|
|
diff --git a/rsync.h b/rsync.h
|
|
index b357dad..bc9abac 100644
|
|
--- a/rsync.h
|
|
+++ b/rsync.h
|
|
@@ -83,6 +83,7 @@
|
|
#define FLAG_SKIP_GROUP (1<<10) /* receiver/generator */
|
|
#define FLAG_TIME_FAILED (1<<11)/* generator */
|
|
#define FLAG_MOD_NSEC (1<<12) /* sender/receiver/generator */
|
|
+#define FLAG_GOT_DIR_FLIST (1<<13)/* sender/receiver/generator - dir_flist only */
|
|
|
|
/* These flags are passed to functions but not stored. */
|
|
|