Fix use-after-free in generator

full_fname() will free the return value in the next call so we need to duplicate it before passing it to rsyserr. Fixes: https://github.com/RsyncProject/rsync/issues/704
2025-12-23 23:28:17 -05:00 · 2025-01-15 15:48:04 +01:00
parent 996af4a79f
commit 81ead9e70c
1 changed files with 5 additions and 1 deletions
--- a/generator.c
+++ b/generator.c
@@ -2041,8 +2041,12 @@ int atomic_create(struct file_struct *file, char *fname, const char *slnk, const

 	if (!skip_atomic) {
 		if (do_rename(tmpname, fname) < 0) {
+			char *full_tmpname = strdup(full_fname(tmpname));
+			if (full_tmpname == NULL)
+				out_of_memory("atomic_create");
 			rsyserr(FERROR_XFER, errno, "rename %s -> \"%s\" failed",
-				full_fname(tmpname), full_fname(fname));
+				full_tmpname, full_fname(fname));
+			free(full_tmpname);
 			do_unlink(tmpname);
 			return 0;
 		}