The len field in the proxy v2 header was declared as signed char,
allowing a negative size to bypass the validation check and cause
a stack buffer overflow when passed to read_buf() as size_t.
This bug was reported by John Walker from ZeroPath, many thanks for
the clear report!
With the current code this bug does not represent a security issue as
it only results in the exit of the forked process that is specific to
the attached client, so it is equivalent to the client closing the
socket, so no CVE for this, but it is good to fix it to prevent a
future issue.
Added the client rsync-ssl script and various client/daemon support
files needed for talking to an rsync daemon over SSL on port 874 (no
tls support). This uses an elegant stunnel setup that was detailed
by dozzie (see the resources page) now that stunnel4 has improved
command-spawning support. Also incorporates some tweaks by devzero
(e.g. the nice no-tmpfile-config client-side code) and a few by me
(including logging of the actual remote IP that came in to the
stunnel process). This probably still needs a little work.
- Standardized the format of the opening comment, including adding a
brief description of what's in the file for those that lacked it.
- Added some missing copyright lines.
- Some minor whitespace tweaks (in a few of the files).
struct in_addr, which means passing &sin.sin_addr instead of
&sin.sin_addr.s_addr. Also changed the AF_INET6 version to pass
&sin6.sin6_addr. Hopefully this will fix UNICOS and not break
anyone else.
* Moved some structures in client_name() so that they remain in-scope for
the entire function (since we set pointers to their storage location).
* Allow the dot-counting loop to increment to 4 instead of stopping at 3.
in place: simply check the "am_server" global variable, which is not set
true when the daemon is listening for connections (daemon_main is not
called in main.c if am_server is set).
-e ssh and :: together. Uses $SSH_CLIENT to locate the IP address
(was attempting to before but it didn't always work) and then uses
inet_pton() on that and getnameinfo() to find the name.
