util1: handle out-of-range times in timestring

fixes a one byte stack overflow when using RSYNC_PROXY with a
malicious proxy.

Reach: only when RSYNC_PROXY is set and a malicious or MITM'd
proxy returns the pathological response.  The byte written is
always '\0' and the attacker doesn't choose the offset, so impact
is corruption of one adjacent stack byte and possible later
misbehaviour or crash -- no information disclosure beyond the
existing rprintf of buffer contents.

Reported by Aisle Research via Michal Ruprich

.cirrus.yml

@@ -1,7 +1,7 @@
 freebsd_task:
   name: FreeBSD
   freebsd_instance:
-    image_family: freebsd-12-2
+    image_family: freebsd-13-1
   env:
     PATH: /usr/local/bin:$PATH
   prep_script:

.github/workflows/almalinux-8-build.yml

@@ -0,0 +1,76 @@
+name: Test rsync on AlmaLinux 8
+
+# Older-LTS coverage on the Fedora/RHEL family to help with backporting
+# security fixes. AlmaLinux 8 is the RHEL 8 rebuild and is the oldest
+# active LTS in this family (RHEL 8 full support runs to 2029).
+# GitHub Actions has no native runner for this family, so the job runs
+# inside an almalinux:8 container hosted on ubuntu-latest.
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/almalinux-8-build.yml'
+  pull_request:
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/almalinux-8-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    container:
+      image: almalinux:8
+    name: Test rsync on AlmaLinux 8
+    steps:
+    - name: install git
+      # actions/checkout needs git in the container before the checkout step.
+      run: dnf -y install git
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: prep
+      # PowerTools is needed for libzstd-devel etc; xxhash and lz4 dev
+      # headers live in EPEL on RHEL 8. The default python3 on RHEL 8
+      # is 3.6, which is too old for runtests.py (uses capture_output=
+      # / text= introduced in 3.7), so install python39 and point
+      # /usr/bin/python3 at it.
+      run: |
+        dnf -y install epel-release
+        dnf config-manager --set-enabled powertools
+        dnf -y install gcc gcc-c++ make autoconf automake m4 \
+            python39 python39-pip diffutils \
+            openssl openssl-devel \
+            attr libattr-devel acl libacl-devel \
+            zstd libzstd-devel \
+            lz4 lz4-devel \
+            xxhash xxhash-devel
+        alternatives --set python3 /usr/bin/python3.9
+        pip3 install commonmark
+    - name: configure
+      run: ./configure --with-rrsync
+    - name: make
+      run: make
+    - name: info
+      run: ./rsync --version
+    - name: check
+      # In the container we already run as root, so no sudo. The
+      # crtimes-not-supported skip matches the other Linux jobs.
+      run: RSYNC_EXPECT_SKIPPED=crtimes make check
+    - name: ssl file list
+      run: ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: almalinux-8-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync

.github/workflows/build.yml

@@ -1,126 +0,0 @@
-name: build
-
-on:
-  push:
-    branches: [ master ]
-    paths-ignore: [ .cirrus.yml ]
-  pull_request:
-    branches: [ master ]
-    paths-ignore: [ .cirrus.yml ]
-  schedule:
-    - cron: '42 8 * * *'
-
-jobs:
-
-  ubuntu-build:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: prep
-      run: |
-        sudo apt-get install acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev python3-cmarkgfm openssl wget
-        wget -O git-version.h https://gist.githubusercontent.com/WayneD/c11243fa374fc64d4e42f2855c8e3827/raw/rsync-git-version.h
-        echo "/usr/local/bin" >>$GITHUB_PATH
-    - name: configure
-      run: ./configure --with-rrsync
-    - name: make
-      run: make
-    - name: install
-      run: sudo make install
-    - name: info
-      run: rsync --version
-    - name: check
-      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check
-    - name: check30
-      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check30
-    - name: check29
-      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check29
-    - name: ssl file list
-      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
-    - name: save artifact
-      uses: actions/upload-artifact@v2
-      with:
-        name: ubuntu-bin
-        path: |
-          rsync
-          rsync-ssl
-          rsync.1
-          rsync-ssl.1
-          rsyncd.conf.5
-          rrsync.1
-          rrsync
-
-  macos-build:
-    runs-on: macos-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: prep
-      run: |
-        brew install automake openssl xxhash zstd lz4 wget
-        sudo pip3 install commonmark
-        wget -O git-version.h https://gist.githubusercontent.com/WayneD/c11243fa374fc64d4e42f2855c8e3827/raw/rsync-git-version.h
-        echo "/usr/local/bin" >>$GITHUB_PATH
-    - name: configure
-      run: CPPFLAGS=-I/usr/local/opt/openssl/include/ LDFLAGS=-L/usr/local/opt/openssl/lib/ ./configure --with-rrsync
-    - name: make
-      run: make
-    - name: install
-      run: sudo make install
-    - name: info
-      run: rsync --version
-    - name: check
-      run: sudo RSYNC_EXPECT_SKIPPED=acls-default,chmod-temp-dir,chown-fake,devices-fake,dir-sgid,protected-regular,xattrs-hlink,xattrs make check
-    - name: ssl file list
-      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
-    - name: save artifact
-      uses: actions/upload-artifact@v2
-      with:
-        name: macos-bin
-        path: |
-          rsync
-          rsync-ssl
-          rsync.1
-          rsync-ssl.1
-          rsyncd.conf.5
-          rrsync.1
-          rrsync
-
-  cygwin-build:
-    runs-on: windows-latest
-    if: (github.event_name == 'schedule' || contains(github.event.head_commit.message, '[buildall]'))
-    steps:
-    - uses: actions/checkout@v2
-    - uses: crazy-max/ghaction-chocolatey@v1.2.2
-      with:
-        args: install -y --no-progress cygwin cyg-get
-    - name: prep
-      run: |
-        cyg-get make autoconf automake gcc-core attr libattr-devel python38 python38-pip libzstd-devel liblz4-devel libssl-devel libxxhash0 libxxhash-devel
-        curl.exe -o git-version.h https://gist.githubusercontent.com/WayneD/c11243fa374fc64d4e42f2855c8e3827/raw/rsync-git-version.h
-        echo "C:/tools/cygwin/bin" >>$Env:GITHUB_PATH
-    - name: commonmark
-      run: bash -c 'python3 -mpip install --user commonmark'
-    - name: configure
-      run: bash -c './configure --with-rrsync'
-    - name: make
-      run: bash -c 'make'
-    - name: install
-      run: bash -c 'make install'
-    - name: info
-      run: bash -c '/usr/local/bin/rsync --version'
-    - name: check
-      run: bash -c 'RSYNC_EXPECT_SKIPPED=acls-default,acls,chown,devices,dir-sgid,protected-regular make check'
-    - name: ssl file list
-      run: bash -c 'PATH="/usr/local/bin:$PATH" rsync-ssl --no-motd download.samba.org::rsyncftp/ || true'
-    - name: save artifact
-      uses: actions/upload-artifact@v2
-      with:
-        name: cygwin-bin
-        path: |
-          rsync.exe
-          rsync-ssl
-          rsync.1
-          rsync-ssl.1
-          rsyncd.conf.5
-          rrsync.1
-          rrsync

.github/workflows/cygwin-build.yml

@@ -0,0 +1,55 @@
+name: Test rsync on Cygwin
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/cygwin-build.yml'
+  pull_request:
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/cygwin-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: windows-2022
+    name: Test rsync on Cygwin
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: cygwin
+      run: choco install -y --no-progress cygwin cyg-get
+    - name: prep
+      run: |
+        cyg-get make autoconf automake gcc-core attr libattr-devel python39 python39-pip libzstd-devel liblz4-devel libssl-devel libxxhash0 libxxhash-devel
+        echo "C:/tools/cygwin/bin" >>$Env:GITHUB_PATH
+    - name: commonmark
+      run: bash -c 'python3 -mpip install --user commonmark'
+    - name: configure
+      run: bash -c './configure --with-rrsync'
+    - name: make
+      run: bash -c 'make'
+    - name: install
+      run: bash -c 'make install'
+    - name: info
+      run: bash -c '/usr/local/bin/rsync --version'
+    - name: check
+      run: bash -c 'RSYNC_EXPECT_SKIPPED=acls-default,acls,bare-do-open-symlink-race,chdir-symlink-race,chmod-symlink-race,chown,clean-fname-underflow,daemon-chroot-acl,devices,dir-sgid,protected-regular,sender-flist-symlink-leak,simd-checksum,symlink-dirlink-basis make check'
+    - name: ssl file list
+      run: bash -c 'PATH="/usr/local/bin:$PATH" rsync-ssl --no-motd download.samba.org::rsyncftp/ || true'
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: cygwin-bin
+        path: |
+          rsync.exe
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync

.github/workflows/freebsd-build.yml

@@ -0,0 +1,49 @@
+name: Test rsync on FreeBSD
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/freebsd-build.yml'
+  pull_request:
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/freebsd-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Test rsync on FreeBSD
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Test in FreeBSD VM
+      id: test
+      uses: vmactions/freebsd-vm@v1
+      with:
+        usesh: true
+        prepare: |
+          pkg install -y bash autotools m4 devel/xxhash zstd liblz4 python3 archivers/liblz4 git
+        run: |
+          freebsd-version
+          ./configure --with-rrsync -disable-zstd --disable-md2man --disable-xxhash --disable-lz4
+          make
+          ./rsync --version
+          make check
+          ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: freebsd-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync

.github/workflows/macos-build.yml

@@ -0,0 +1,57 @@
+name: Test rsync on macOS
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/macos-build.yml'
+  pull_request:
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/macos-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: macos-latest
+    name: Test rsync on macOS
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: prep
+      run: |
+        brew install automake openssl xxhash zstd lz4
+        pip3 install --user --break-system-packages commonmark
+        echo "$(brew --prefix)/bin" >>$GITHUB_PATH
+    - name: configure
+      run: |
+        BREW_PREFIX=$(brew --prefix)
+        OPENSSL_PREFIX=$(brew --prefix openssl)
+        CPPFLAGS="-I${BREW_PREFIX}/include -I${OPENSSL_PREFIX}/include" \
+        LDFLAGS="-L${BREW_PREFIX}/lib -L${OPENSSL_PREFIX}/lib" \
+        ./configure --with-rrsync
+    - name: make
+      run: make
+    - name: install
+      run: sudo make install
+    - name: info
+      run: rsync --version
+    - name: check
+      run: sudo RSYNC_EXPECT_SKIPPED=acls-default,chmod-temp-dir,chown-fake,clean-fname-underflow,daemon-chroot-acl,devices-fake,dir-sgid,protected-regular,simd-checksum,xattrs-hlink,xattrs make check
+    - name: ssl file list
+      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: macos-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync

.github/workflows/netbsd-build.yml

@@ -0,0 +1,51 @@
+name: Test rsync on NetBSD
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/netbsd-build.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/netbsd-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Test rsync on NetBSD
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Test in NetBSD VM
+      id: test
+      uses: vmactions/netbsd-vm@v1
+      with:
+        usesh: true
+        prepare: |
+          PATH=/usr/sbin:$PATH pkg_add autoconf automake python312
+          ln -sf /usr/pkg/bin/python3.12 /usr/pkg/bin/python3
+        run: |
+          uname -a
+          ./configure --with-rrsync --disable-zstd --disable-md2man --disable-xxhash --disable-lz4
+          make
+          ./rsync --version
+          make check
+          ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: netbsd-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync

.github/workflows/openbsd-build.yml

@@ -0,0 +1,52 @@
+name: Test rsync on OpenBSD
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/openbsd-build.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/openbsd-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Test rsync on OpenBSD
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Test in OpenBSD VM
+      id: test
+      uses: vmactions/openbsd-vm@v1
+      with:
+        usesh: true
+        prepare: |
+          pkg_add -I bash autoconf%2.71 automake%1.16
+        run: |
+          uname -a
+          export AUTOCONF_VERSION=2.71
+          export AUTOMAKE_VERSION=1.16
+          ./configure --with-rrsync --disable-zstd --disable-md2man --disable-xxhash --disable-lz4
+          make
+          ./rsync --version
+          make check
+          ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: openbsd-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync

.github/workflows/solaris-build.yml

@@ -0,0 +1,49 @@
+name: Test rsync on Solaris
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/solaris-build.yml'
+  pull_request:
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/solaris-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Test rsync on Solaris
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Test in Solaris VM
+      id: test
+      uses: vmactions/solaris-vm@v1
+      with:
+        usesh: true
+        prepare: |
+          pkg install bash automake gnu-m4 pkg://solaris/runtime/python-35 autoconf gcc git
+        run: |
+          uname -a
+          ./configure --with-rrsync -disable-zstd --disable-md2man --disable-xxhash --disable-lz4
+          make
+          ./rsync --version
+          make check
+          ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: solaris-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync

.github/workflows/ubuntu-22.04-build.yml

@@ -0,0 +1,59 @@
+name: Test rsync on Ubuntu 22.04
+
+# Older-LTS coverage to help with backporting security fixes. ubuntu-22.04
+# is currently the oldest GitHub Actions runner image (20.04 was retired
+# in April 2025).
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/ubuntu-22.04-build.yml'
+  pull_request:
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/ubuntu-22.04-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-22.04
+    name: Test rsync on Ubuntu 22.04
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: prep
+      run: |
+        sudo apt-get install acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev python3-cmarkgfm openssl
+        echo "/usr/local/bin" >>$GITHUB_PATH
+    - name: configure
+      run: ./configure --with-rrsync
+    - name: make
+      run: make
+    - name: install
+      run: sudo make install
+    - name: info
+      run: rsync --version
+    - name: check
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check
+    - name: check30
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check30
+    - name: check29
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check29
+    - name: ssl file list
+      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: ubuntu-22.04-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync

.github/workflows/ubuntu-build.yml

@@ -0,0 +1,55 @@
+name: Test rsync on Ubuntu
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/ubuntu-build.yml'
+  pull_request:
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/ubuntu-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Test rsync on Ubuntu
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: prep
+      run: |
+        sudo apt-get install acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev python3-cmarkgfm openssl
+        echo "/usr/local/bin" >>$GITHUB_PATH
+    - name: configure
+      run: ./configure --with-rrsync
+    - name: make
+      run: make
+    - name: install
+      run: sudo make install
+    - name: info
+      run: rsync --version
+    - name: check
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check
+    - name: check30
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check30
+    - name: check29
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check29
+    - name: ssl file list
+      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: ubuntu-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync

.gitignore

@@ -16,6 +16,7 @@ aclocal.m4
 /proto.h
 /proto.h-tstamp
 /rsync*.[15]
+/rrsync
 /rrsync*.1
 /rsync*.html
 /rrsync*.html

INSTALL.md

@@ -13,11 +13,11 @@ You need to have a C compiler installed and optionally a C++ compiler in order
 to try to build some hardware-accelerated checksum routines.  Rsync also needs
 a modern awk, which might be provided via gawk or nawk on some OSes.
 
-## Autoconf & man pages
+## Autoconf & manpages
 
 If you're installing from the git repo (instead of a release tar file) you'll
 also need the GNU autotools (autoconf & automake) and your choice of 2 python3
-markdown libraries: cmarkgfm or commonmark (needed to generate the man pages).
+markdown libraries: cmarkgfm or commonmark (needed to generate the manpages).
 If your OS doesn't provide a python3-cmarkgfm or python3-commonmark package,
 you can run the following to install the commonmark python library for your
 build user (after installing python3's pip package):
@@ -26,9 +26,9 @@ build user (after installing python3's pip package):
 
 You can test if you've got it fixed by running (from the rsync checkout):
 
->     ./md2man --test rsync-ssl.1.md
+>     ./md-convert --test rsync-ssl.1.md
 
-Alternately, you can avoid generating the man pages by fetching the very latest
+Alternately, you can avoid generating the manpages by fetching the very latest
 versions (that match the latest git source) from the [generated-files][6] dir.
 One way to do that is to run:
 

Makefile.in

@@ -30,8 +30,9 @@ SHELL=/bin/sh
 .SUFFIXES:
 .SUFFIXES: .c .o
 
-SIMD_x86_64=simd-checksum-x86_64.o simd-checksum-avx2.o
-ASM_x86_64=lib/md5-asm-x86_64.o
+ROLL_SIMD_x86_64=simd-checksum-x86_64.o
+ROLL_ASM_x86_64=simd-checksum-avx2.o
+MD5_ASM_x86_64=lib/md5-asm-x86_64.o
 
 GENFILES=configure.sh aclocal.m4 config.h.in rsync.1 rsync.1.html \
 	 rsync-ssl.1 rsync-ssl.1.html rsyncd.conf.5 rsyncd.conf.5.html \
@@ -46,7 +47,7 @@ OBJS1=flist.o rsync.o generator.o receiver.o cleanup.o sender.o exclude.o \
 	util1.o util2.o main.o checksum.o match.o syscall.o log.o backup.o delete.o
 OBJS2=options.o io.o compat.o hlink.o token.o uidlist.o socket.o hashtable.o \
 	usage.o fileio.o batch.o clientname.o chmod.o acls.o xattrs.o
-OBJS3=progress.o pipe.o @ASM@ @SIMD@
+OBJS3=progress.o pipe.o @MD5_ASM@ @ROLL_SIMD@ @ROLL_ASM@
 DAEMON_OBJ = params.o loadparm.o clientserver.o access.o connection.o authenticate.o
 popt_OBJS=popt/findme.o  popt/popt.o  popt/poptconfig.o \
 	popt/popthelp.o popt/poptparse.o
@@ -56,12 +57,13 @@ TLS_OBJ = tls.o syscall.o util2.o t_stub.o lib/compat.o lib/snprintf.o lib/perms
 
 # Programs we must have to run the test cases
 CHECK_PROGS = rsync$(EXEEXT) tls$(EXEEXT) getgroups$(EXEEXT) getfsdev$(EXEEXT) \
-	testrun$(EXEEXT) trimslash$(EXEEXT) t_unsafe$(EXEEXT) wildtest$(EXEEXT)
+	testrun$(EXEEXT) trimslash$(EXEEXT) t_unsafe$(EXEEXT) t_chmod_secure$(EXEEXT) \
+	t_secure_relpath$(EXEEXT) wildtest$(EXEEXT) simdtest$(EXEEXT)
 
 CHECK_SYMLINKS = testsuite/chown-fake.test testsuite/devices-fake.test testsuite/xattrs-hlink.test
 
 # Objects for CHECK_PROGS to clean
-CHECK_OBJS=tls.o testrun.o getgroups.o getfsdev.o t_stub.o t_unsafe.o trimslash.o wildtest.o
+CHECK_OBJS=tls.o testrun.o getgroups.o getfsdev.o t_stub.o t_unsafe.o t_chmod_secure.o t_secure_relpath.o trimslash.o wildtest.o
 
 # note that the -I. is needed to handle config.h when using VPATH
 .c.o:
@@ -69,6 +71,8 @@ CHECK_OBJS=tls.o testrun.o getgroups.o getfsdev.o t_stub.o t_unsafe.o trimslash.
 	$(CC) -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) -c $< @CC_SHOBJ_FLAG@
 @OBJ_RESTORE@
 
+# NOTE: consider running "packaging/smart-make" instead of "make" to auto-handle
+# any changes to configure.sh and the main Makefile prior to a "make all".
 all: Makefile rsync$(EXEEXT) stunnel-rsyncd.conf @MAKE_RRSYNC@ @MAKE_MAN@
 .PHONY: all
 
@@ -147,13 +151,13 @@ git-version.h: ALWAYS_RUN
 ALWAYS_RUN:
 
 simd-checksum-x86_64.o: simd-checksum-x86_64.cpp
-	@$(srcdir)/cmd-or-msg disable-simd $(CXX) -I. $(CXXFLAGS) $(CPPFLAGS) -c -o $@ $(srcdir)/simd-checksum-x86_64.cpp
+	@$(srcdir)/cmd-or-msg disable-roll-simd $(CXX) -I. $(CXXFLAGS) $(CPPFLAGS) -c -o $@ $(srcdir)/simd-checksum-x86_64.cpp
 
 simd-checksum-avx2.o: simd-checksum-avx2.S
-	@$(srcdir)/cmd-or-msg disable-asm $(CC) $(CFLAGS) --include=$(srcdir)/rsync.h -DAVX2_ASM -I. @NOEXECSTACK@ -c -o $@ $(srcdir)/simd-checksum-avx2.S
+	@$(srcdir)/cmd-or-msg disable-roll-asm $(CC) $(CFLAGS) -I. @NOEXECSTACK@ -c -o $@ $(srcdir)/simd-checksum-avx2.S
 
-lib/md5-asm-x86_64.o: lib/md5-asm-x86_64.S config.h lib/md-defines.h
-	@$(srcdir)/cmd-or-msg disable-asm $(CC) -I. @NOEXECSTACK@ -c -o $@ $(srcdir)/lib/md5-asm-x86_64.S
+lib/md5-asm-x86_64.o: lib/md5-asm-x86_64.S lib/md-defines.h
+	@$(srcdir)/cmd-or-msg disable-md5-asm $(CC) -I. @NOEXECSTACK@ -c -o $@ $(srcdir)/lib/md5-asm-x86_64.S
 
 tls$(EXEEXT): $(TLS_OBJ)
 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(TLS_OBJ) $(LIBS)
@@ -175,6 +179,14 @@ T_UNSAFE_OBJ = t_unsafe.o syscall.o util1.o util2.o t_stub.o lib/compat.o lib/sn
 t_unsafe$(EXEEXT): $(T_UNSAFE_OBJ)
 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(T_UNSAFE_OBJ) $(LIBS)
 
+T_CHMOD_SECURE_OBJ = t_chmod_secure.o syscall.o util1.o util2.o t_stub.o lib/compat.o lib/snprintf.o lib/wildmatch.o lib/permstring.o
+t_chmod_secure$(EXEEXT): $(T_CHMOD_SECURE_OBJ)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(T_CHMOD_SECURE_OBJ) $(LIBS)
+
+T_SECURE_RELPATH_OBJ = t_secure_relpath.o syscall.o util1.o util2.o t_stub.o lib/compat.o lib/snprintf.o lib/wildmatch.o lib/permstring.o
+t_secure_relpath$(EXEEXT): $(T_SECURE_RELPATH_OBJ)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(T_SECURE_RELPATH_OBJ) $(LIBS)
+
 .PHONY: conf
 conf: configure.sh config.h.in
 
@@ -331,6 +343,14 @@ wildtest.o: wildtest.c t_stub.o lib/wildmatch.c rsync.h config.h
 wildtest$(EXEEXT): wildtest.o lib/compat.o lib/snprintf.o @BUILD_POPT@
 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ wildtest.o lib/compat.o lib/snprintf.o @BUILD_POPT@ $(LIBS)
 
+simdtest$(EXEEXT): simd-checksum-x86_64.cpp $(HEADERS)
+	@if test x"@ROLL_SIMD@" != x; then \
+	    $(CXX) -I. $(CXXFLAGS) $(CPPFLAGS) $(LDFLAGS) -DTEST_SIMD_CHECKSUM1 \
+	        -o $@ $(srcdir)/simd-checksum-x86_64.cpp @ROLL_ASM@ $(LIBS); \
+	else \
+	    touch $@; \
+	fi
+
 testsuite/chown-fake.test:
 	ln -s chown.test $(srcdir)/testsuite/chown-fake.test
 

NEWS.md

@@ -1,11 +1,221 @@
-# NEWS for rsync 3.2.4 (UNRELEASED)
+# NEWS for rsync 3.2.7 (20 Oct 2022)
+
+## Changes in this version:
+
+### BUG FIXES:
+
+- Fixed the client-side validating of the remote sender's filtering behavior.
+
+- More fixes for the "unrequested file-list name" name, including a copy of
+  "/" with `--relative` enabled and a copy with a lot of related paths with
+  `--relative` enabled (often derived from a `--files-from` list).
+
+- When rsync gets an unpack error on an ACL, mention the filename.
+
+- Avoid over-setting sanitize_paths when a daemon is serving "/" (even if
+  "use chroot" is false).
+
+### ENHANCEMENTS:
+
+- Added negotiated daemon-auth support that allows a stronger checksum digest
+  to be used to validate a user's login to the daemon.  Added SHA512, SHA256,
+  and SHA1 digests to MD5 & MD4.  These new digests are at the highest priority
+  in the new daemon-auth negotiation list.
+
+- Added support for the SHA1 digest in file checksums.  While this tends to be
+  overkill, it is available if someone really needs it.  This overly-long
+  checksum is at the lowest priority in the normal checksum negotiation list.
+  See [`--checksum-choice`](rsync.1#opt) (`--cc`) and the `RSYNC_CHECKSUM_LIST`
+  environment var for how to customize this.
+
+- Improved the xattr hash table to use a 64-bit key without slowing down the
+  key's computation.  This should make extra sure that a hash collision doesn't
+  happen.
+
+- If the `--version` option is repeated (e.g. `-VV`) then the information is
+  output in a (still readable) JSON format.  Client side only.
+
+- The script `support/json-rsync-version` is available to get the JSON style
+  version output from any rsync.  The script accepts either text on stdin
+  **or** an arg that specifies an rsync executable to run with a doubled
+  `--version` option.  If the text we get isn't already in JSON format, it is
+  converted. Newer rsync versions will provide more complete json info than
+  older rsync versions. Various tweaks are made to keep the flag names
+  consistent across versions.
+
+- The [`use chroot`](rsyncd.conf.5#) daemon parameter now defaults to "unset"
+  so that rsync can use chroot when it works and a sanitized copy when chroot
+  is not supported (e.g., for a non-root daemon).  Explicitly setting the
+  parameter to true or false (on or off) behaves the same way as before.
+
+- The `--fuzzy` option was optimized a bit to try to cut down on the amount of
+  computations when considering a big pool of files. The simple heuristic from
+  Kenneth Finnegan resuled in about a 2x speedup.
+
+- If rsync is forced to use protocol 29 or before (perhaps due to talking to an
+  rsync before 3.0.0), the modify time of a file is limited to 4-bytes.  Rsync
+  now interprets this value as an unsigned integer so that a current year past
+  2038 can continue to be represented. This does mean that years prior to 1970
+  cannot be represented in an older protocol, but this trade-off seems like the
+  right choice given that (1) 2038 is very rapidly approaching, and (2) newer
+  protocols support a much wider range of old and new dates.
+
+- The rsync client now treats an empty destination arg as an error, just like
+  it does for an empty source arg. This doesn't affect a `host:` arg (which is
+  treated the same as `host:.`) since the arg is not completely empty.  The use
+  of [`--old-args`](rsync.1#opt) (including via `RSYNC_OLD_ARGS`) allows the
+  prior behavior of treating an empty destination arg as a ".".
+
+### PACKAGING RELATED:
+
+- The checksum code now uses openssl's EVP methods, which gets rid of various
+  deprecation warnings and makes it easy to support more digest methods.  On
+  newer systems, the MD4 digest is marked as legacy in the openssl code, which
+  makes openssl refuse to support it via EVP.  You can choose to ignore this
+  and allow rsync's MD4 code to be used for older rsync connections (when
+  talking to an rsync prior to 3.0.0) or you can choose to configure rsync to
+  tell openssl to enable legacy algorithms (see below).
+
+- A simple openssl config file is supplied that can be installed for rsync to
+  use.  If you install packaging/openssl-rsync.cnf to a public spot (such as
+  `/etc/ssl/openssl-rsync.cnf`) and then run configure with the option
+  `--with-openssl-conf=/path/name.cnf`, this will cause rsync to export the
+  configured path in the OPENSSL_CONF environment variable (when the variable
+  is not already set).  This will enable openssl's MD4 code for rsync to use.
+
+- The packager may wish to include an explicit "use chroot = true" in the top
+  section of their supplied /etc/rsyncd.conf file if the daemon is being
+  installed to run as the root user (though rsync should behave the same even
+  with the value unset, a little extra paranoia doesn't hurt).
+
+- I've noticed that some packagers haven't installed support/nameconvert for
+  users to use in their chrooted rsync configs.  Even if it is not installed
+  as an executable script (to avoid a python3 dependency) it would be good to
+  install it with the other rsync-related support scripts.
+
+- It would be good to add support/json-rsync-version to the list of installed
+  support scripts.
+
+------------------------------------------------------------------------------
+
+# NEWS for rsync 3.2.6 (9 Sep 2022)
+
+## Changes in this version:
+
+### BUG FIXES:
+
+- More path-cleaning improvements in the file-list validation code to avoid
+  rejecting of valid args.
+
+- A file-list validation fix for a [`--files-from`](rsync.1#opt) file that ends
+  without a line-terminating character.
+
+- Added a safety check that prevents the sender from removing destination files
+  when a local copy using [`--remove-source-files`](rsync.1#opt) has some files
+  that are shared between the sending & receiving hierarchies, including the
+  case where the source dir & destination dir are identical.
+
+- Fixed a bug in the internal MD4 checksum code that could cause the digest
+  to be sporadically incorrect (the openssl version was/is fine).
+
+- A minor tweak to rrsync added "copy-devices" to the list of known args, but
+  left it disabled by default.
+
+### ENHANCEMENTS:
+
+- Rename `--protect-args` to [`--secluded-args`](rsync.1#opt) to make it
+  clearer how it differs from the default backslash-escaped arg-protecting
+  behavior of rsync.  The old option names are still accepted.  The
+  environment-variable override did not change its name.
+
+### PACKAGING RELATED:
+
+- The configure option `--with-protected-args` was renamed to
+  `--with-secluded-args`.  This option makes `--secluded-args` the default
+  rsync behavior instead of using backslash escaping for protecting args.
+
+- The mkgitver script now makes sure that a `.git` dir/file is in the top-level
+  source dir before calling `git describe`. It also runs a basic check on the
+  version value. This should avoid using an unrelated git description for
+  rsync's version.
+
+### DEVELOPER RELATED:
+
+- The configure script no longer sets the -pedantic-errors CFLAG (which it
+  used to try to do only for gcc).
+
+- The name_num_obj struct was modified to allow its dynamic name_num_item list
+  to be initialized in a better way.
+
+------------------------------------------------------------------------------
+
+# NEWS for rsync 3.2.5 (14 Aug 2022)
+
+## Changes in this version:
+
+### SECURITY FIXES:
+
+- Added some file-list safety checking that helps to ensure that a rogue
+  sending rsync can't add unrequested top-level names and/or include recursive
+  names that should have been excluded by the sender.  These extra safety
+  checks only require the receiver rsync to be updated.  When dealing with an
+  untrusted sending host, it is safest to copy into a dedicated destination
+  directory for the remote content (i.e. don't copy into a destination
+  directory that contains files that aren't from the remote host unless you
+  trust the remote host). Fixes CVE-2022-29154.
+
+ - A fix for CVE-2022-37434 in the bundled zlib (buffer overflow issue).
+
+### BUG FIXES:
+
+- Fixed the handling of filenames specified with backslash-quoted wildcards
+  when the default remote-arg-escaping is enabled.
+
+- Fixed the configure check for signed char that was causing a host that
+  defaults to unsigned characters to generate bogus rolling checksums. This
+  made rsync send mostly literal data for a copy instead of finding matching
+  data in the receiver's basis file (for a file that contains high-bit
+  characters).
+
+- Lots of manpage improvements, including an attempt to better describe how
+  include/exclude filters work.
+
+- If rsync is compiled with an xxhash 0.8 library and then moved to a system
+  with a dynamically linked xxhash 0.7 library, we now detect this and disable
+  the XX3 hashes (since these routines didn't stabilize until 0.8).
+
+### ENHANCEMENTS:
+
+- The [`--trust-sender`](rsync.1#opt) option was added as a way to bypass the
+  extra file-list safety checking (should that be required).
+
+### PACKAGING RELATED:
+
+- A note to those wanting to patch older rsync versions: the changes in this
+  release requires the quoted argument change from 3.2.4. Then, you'll want
+  every single code change from 3.2.5 since there is no fluff in this release.
+
+- The build date that goes into the manpages is now based on the developer's
+  release date, not on the build's local-timezone interpretation of the date.
+
+### DEVELOPER RELATED:
+
+- Configure now defaults GETGROUPS_T to gid_t when cross compiling.
+
+- Configure now looks for the bsd/string.h include file in order to fix the
+  build on a host that has strlcpy() in the main libc but not defined in the
+  main string.h file.
+
+------------------------------------------------------------------------------
+
+# NEWS for rsync 3.2.4 (15 Apr 2022)
 
 ## Changes in this version:
 
 ### BEHAVIOR CHANGES:
 
  - A new form of arg protection was added that works similarly to the older
-   [`--protect-args`](rsync.1#opt) (`-s`) option but in a way that avoids
+   `--protect-args` ([`-s`](rsync.1#opt)) option but in a way that avoids
    breaking things like rrsync (the restricted rsync script): rsync now uses
    backslash escaping for sending "shell-active" characters to the remote
    shell. This includes spaces, so fetching a remote file via a simple quoted
@@ -20,13 +230,13 @@
    If your rsync script depends on the old arg-splitting behavior, either run
    it with the [`--old-args`](rsync.1#opt) option or `export RSYNC_OLD_ARGS=1`
    in the script's environment.  See also the [ADVANCED USAGE](rsync.1#)
-   section of rsync's man page.
+   section of rsync's manpage for how to use a more modern arg style.
 
  - A long-standing bug was preventing rsync from figuring out the current
    locale's decimal point character, which made rsync always output numbers
    using the "C" locale.  Since this is now fixed in 3.2.4, a script that
-   parses rsync's decimal numbers (e.g. from the verbose footer) should be sure
-   to setup the environment in a way that the output continues to be in the C
+   parses rsync's decimal numbers (e.g. from the verbose footer) may want to
+   setup the environment in a way that the output continues to be in the C
    locale.  For instance, one of the following should work fine:
 
    ```shell
@@ -44,6 +254,10 @@
        export LC_NUMERIC=C.UTF-8
    ```
 
+### SECURITY FIXES:
+
+ - A fix for CVE-2018-25032 in the bundled zlib (memory corruption issue).
+
 ### BUG FIXES:
 
  - Fixed a bug with [`--inplace`](rsync.1#opt) + [`--sparse`](rsync.1#opt) (and
@@ -87,6 +301,12 @@
    per-file compression skipping has apparently never worked, so it is now
    documented as being ineffective.
 
+ - Fixed a truncate error when a `--write-devices` copy wrote a file onto a
+   device that was shorter than the device.
+
+ - Made `--write-devices` support both `--checksum` and `--no-whole-file` when
+   copying to a device.
+
  - Improved how the [`--stop-at`](rsync.1#opt), [`--stop-after`](rsync.1#opt),
    and (the deprecated) [`--time-limit`](rsync.1#opt) options check to see if
    the allowed time is over, which should make rsync exit more consistently.
@@ -97,6 +317,12 @@
  - Silence some chmod warnings about symlinks when it looks like we have a
    function to set their permissions but they can't really be set.
 
+ - Fixed a potential issue in git-set-file-times when handling commits with
+   high-bit characters in the description & when handling a description that
+   might mimic the git raw-commit deliniators.  (See the support dir.)
+
+ - The bundled systemd/rsync.service file now includes `Restart=on-failure`.
+
 ### ENHANCEMENTS:
 
  - Use openssl's `-verify_hostname` option in the rsync-ssl script.
@@ -110,6 +336,12 @@
 
  - Added the [`--fsync`](rsync.1#opt) option (promoted from the patches repo).
 
+ - Added the [`--copy-devices`](rsync.1#opt) option.  Compared to the
+   historical version from the rsync-patches repo, this version: properly
+   handles `--checksum`; fixes a truncation bug when doing an `--inplace` copy
+   onto a longer file; fixes several bugs in the `--itemize` output; and only
+   the sending side needs the enhanced rsync for the copy to work.
+
  - Reduced memory usage for an incremental transfer that has a bunch of small
    directories.
 
@@ -127,7 +359,7 @@
    that is being refused due to the Linux fs.protected_regular sysctl setting.
 
  - When [`--chown`](rsync.1#opt), [`--usermap`](rsync.1#opt), or
-   [`--groupmap`](rsync.1#opt), is specified, rsync now makes sure that the
+   [`--groupmap`](rsync.1#opt) is specified, rsync now makes sure that the
    appropriate [`--owner`](rsync.1#opt) and/or [`--group`](rsync.1#opt) options
    are enabled.
 
@@ -136,7 +368,11 @@
    (keeping the behavior the same as before), so specifying `--info=nonreg0`
    can be used to turn the warnings off.
 
- - More ASM optimizations from Shark64.
+ - An optional asm optimization for the rolling checksum from Shark64. Enable
+   it with `./configure --enable-roll-asm`.
+
+ - Using `--debug=FILTER` now outputs a caution message if a filter rule
+   has trailing whitespace.
 
  - Transformed rrsync into a python script with improvements:
    - Security has been beefed up.
@@ -154,7 +390,7 @@
      and `--delete*` rsync options on the server side.
    - The log format has been tweaked slightly to add seconds to the timestamp
      and to output the command executed as a tuple (making the args clearer).
-   - An rrsync.1 man page was added (in the support dir with rrsync).
+   - An rrsync.1 manpage was added (in the support dir with rrsync).
 
  - Added options to the lsh script to facilitate rrsync testing. (See the
    support dir.)
@@ -173,12 +409,12 @@
  - Try to support a client that sent a remote rsync a wacko stderr file handle
    (such as an older File::RsyncP perl library used by BackupPC).
 
- - Lots of man page improvements, including better html versions.
+ - Lots of manpage improvements, including better HTML versions.
 
 ### PACKAGING RELATED:
 
  - Give configure the `--with-rrsync` option if you want `make install` to
-   install the (now python3) rrsync script and its new man page.
+   install the (now python3) rrsync script and its new manpage.
 
  - If the rrsync script is installed, its package should be changed to depend
    on python3 and the (suggested but not mandatory) python3 braceexpand lib.
@@ -189,18 +425,32 @@
    using the output of `git describe` when building inside a non-shallow git
    checkout, though.)
 
- - Improved the IPv6 determination in configure.
+ - Renamed configure's `--enable-simd` option to `--enable-roll-simd` and added
+   the option `--enable-roll-asm` to use the new asm version of the code.  Both
+   are x86_64/amd64 only.
 
- - Made SIMD & ASM configure default to "no" on non-Linux hosts due to various
-   reports of problems on NetBSD & macOS hosts.  These tests were also tweaked
-   to allow enabling the feature on a host_cpu of amd64 (was only x86_64).
+ - Renamed configure's `--enable-asm` option to `--enable-md5-asm` to avoid
+   confusion with the asm option for the rolling checksum.  It is also honored
+   even when openssl crypto is in use.  This allows: normal MD4 & MD5, normal
+   MD4 + asm MD5, openssl MD4 & MD5, or openssl MD4 + asm MD5 depending on the
+   configure options selected.
+
+ - Made SIMD & asm configure checks default to "no" on non-Linux hosts due to
+   various reports of problems on NetBSD & macOS hosts.  These were also
+   tweaked to allow enabling the feature on a host_cpu of amd64 (was only
+   allowed on x86_64 before).
 
  - Fixed configure to not fail at the SIMD check when cross-compiling.
 
+ - Improved the IPv6 determination in configure.
+
  - Compile the C files with `-pedantic-errors` (when possible) so that we will
    get warned if a static initialization overflows in the future (among other
    things).
 
+ - When linking with an external zlib, rsync renames its `read_buf()` function
+   to `read_buf_()` to avoid a symbol clash on an unpatched zlib.
+
  - Added a SECURITY.md file.
 
 ### DEVELOPER RELATED:
@@ -383,7 +633,7 @@
 
  - Put optimizations into their own list in the `--version` output.
 
- - Improved the man page a bit more.
+ - Improved the manpage a bit more.
 
 ### PACKAGING RELATED:
 
@@ -610,7 +860,7 @@
  - The daemon now locks its pid file (when configured to use one) so that it
    will not fail to start when the file exists but no daemon is running.
 
- - Various man page improvements, including some html representations (that
+ - Various manpage improvements, including some html representations (that
    aren't installed by default).
 
  - Made `-V` the short option for `--version` and improved its information.
@@ -627,7 +877,7 @@
 
  - Add installed bash script: /usr/bin/rsync-ssl
 
- - Add installed man page: /usr/man/man1/rsync-ssl.1
+ - Add installed manpage: /usr/man/man1/rsync-ssl.1
 
  - Tweak auxiliary doc file names, such as: README.md, INSTALL.md, & NEWS.md.
 
@@ -649,8 +899,8 @@
    SIMD checksum optimizations.
 
  - Add _build_ dependency for _either_ python3-cmarkcfm or python3-commonmark
-   to allow for patching of man pages or building a git release.  This is not
-   required for a release-tar build, since it comes with pre-built man pages.
+   to allow for patching of manpages or building a git release.  This is not
+   required for a release-tar build, since it comes with pre-built manpages.
    Note that cmarkcfm is faster than commonmark, but they generate the same
    data.  The commonmark dependency is easiest to install since it's native
    python, and can even be installed via `pip3 install --user commonmark` if
@@ -663,7 +913,7 @@
  - Silenced some annoying warnings about major() & minor() by improving an
    autoconf include-file check.
 
- - Converted the man pages from yodl to markdown. They are now processed via a
+ - Converted the manpages from yodl to markdown. They are now processed via a
    simple python3 script using the cmarkgfm **or** commonmark library.  This
    should make it easier to package rsync, since yodl is rather obscure.
 
@@ -741,11 +991,11 @@
 
 ### DEVELOPER RELATED:
 
- - Tweak the `make` output when yodl isn't around to create the man pages.
+ - Tweak the `make` output when yodl isn't around to create the manpages.
 
  - Changed an obsolete autoconf compile macro.
 
- - Support newer yodl versions when converting man pages.
+ - Support newer yodl versions when converting manpages.
 
 ------------------------------------------------------------------------------
 
@@ -1234,7 +1484,7 @@
 
  - Avoid trying to reference `SO_BROADCAST` if the OS doesn't support it.
 
- - Fix some issues with the post-processing of the man pages.
+ - Fix some issues with the post-processing of the manpages.
 
  - Fixed the user home-dir handling in the lsh script. (See the support dir.)
 
@@ -1714,7 +1964,7 @@
    of files, and the ensuring that daemon excludes can't affect a dot-dir arg.
 
  - Improved some build rules for those that build in a separate directory from
-   the source, including better install rules for the man pages, and the fixing
+   the source, including better install rules for the manpages, and the fixing
    of a proto.h-tstamp rule that could make the binaries get rebuild without
    cause.
 
@@ -2322,7 +2572,7 @@
 
  - Added the `--log-file=FILE` and `--log-file-format=FORMAT` options. These
    can be used to tell any rsync to output what it is doing to a log file.
-   They work with a client rsync, a non-daemon server rsync (see the man page
+   They work with a client rsync, a non-daemon server rsync (see the manpage
    for instructions), and also allows the overriding of rsyncd.conf settings
    when starting a daemon.
 
@@ -2616,7 +2866,7 @@
  - Added two config items to the rsyncd.conf parsing: `pre-xfer exec` and
    `post-xfer exec`. These allow a command to be specified on a per-module
    basis that will be run before and/or after a daemon-mode transfer. (See the
-   man page for a list of the environment variables that are set with
+   manpage for a list of the environment variables that are set with
    information about the transfer.)
 
  - When using the `--relative` option, you can now insert a dot dir in the
@@ -2984,7 +3234,7 @@
    usually run with the `--no-detach` option that was necessary to see the
    error on stderr).
 
- - The man pages now consistently refer to an rsync daemon as a `daemon`
+ - The manpages now consistently refer to an rsync daemon as a `daemon`
    instead of a `server` (to distinguish it from the server process in a
    non-daemon transfer).
 
@@ -3551,12 +3801,12 @@
    without using a temporary file. The matching of existing data in the
    destination file can be severely limited by this, but there are also cases
    where this is more efficient (such as appending data).  Use only when needed
-   (see the man page for more details).
+   (see the manpage for more details).
 
  - Added the `write only` option for the daemon's config file.
 
  - Added long-option names for `-4` and `-6` (namely `--ipv4` and `--ipv6`) and
-   documented all these options in the man page.
+   documented all these options in the manpage.
 
  - Improved the handling of the `--bwlimit` option so that it's less bursty,
    more accurate, and works properly over a larger range of values.
@@ -3631,7 +3881,7 @@
 ### BUILD CHANGES:
 
  - Added a `gen` target to rebuild most of the generated files, including
-   configure, config.h.in, the man pages, and proto.h.
+   configure, config.h.in, the manpages, and proto.h.
 
  - If `make proto` doesn't find some changes in the prototypes, the proto.h
    file is left untouched (its time-stamp used to always be updated).
@@ -4229,7 +4479,7 @@
  - Added `--no-whole-file` and `--no-blocking-io` options (Dave Dykstra)
 
  - Made the `--write-batch` and `--read-batch` options actually work and added
-   documentation in the man page (Jos Backus)
+   documentation in the manpage (Jos Backus)
 
  - If the daemon is unable to fork a child to accept a connection, print an
    error message. (Colin Walters)
@@ -4442,7 +4692,10 @@
 
 | RELEASE DATE | VER.   | DATE OF COMMIT\* | PROTOCOL    |
 |--------------|--------|------------------|-------------|
-| ?? Jan 2022  | 3.2.4  |                  | 31          |
+| 20 Oct 2022  | 3.2.7  |                  | 31          |
+| 09 Sep 2022  | 3.2.6  |                  | 31          |
+| 14 Aug 2022  | 3.2.5  |                  | 31          |
+| 15 Apr 2022  | 3.2.4  |                  | 31          |
 | 06 Aug 2020  | 3.2.3  |                  | 31          |
 | 04 Jul 2020  | 3.2.2  |                  | 31          |
 | 22 Jun 2020  | 3.2.1  |                  | 31          |

README.md

@@ -65,8 +65,8 @@ RSYNC DAEMONS
 -------------
 
 Rsync can also talk to "rsync daemons" which can provide anonymous or
-authenticated rsync.  See the rsyncd.conf(5) man page for details on how
-to setup an rsync daemon.  See the rsync(1) man page for info on how to
+authenticated rsync.  See the rsyncd.conf(5) manpage for details on how
+to setup an rsync daemon.  See the rsync(1) manpage for info on how to
 connect to an rsync daemon.
 
 

access.c

@@ -99,7 +99,7 @@ static void make_mask(char *mask, int plen, int addrlen)
 	return;
 }
 
-static int match_address(const char *addr, const char *tok)
+static int match_address(const char *addr, char *tok)
 {
 	char *p;
 	struct addrinfo hints, *resa, *rest;

acls.c

@@ -519,6 +519,7 @@ static int get_rsync_acl(const char *fname, rsync_acl *racl,
 
 		sys_acl_free_acl(sacl);
 		if (!ok) {
+			rsyserr(FERROR_XFER, errno, "get_acl: unpack_smb_acl(%s)", fname);
 			return -1;
 		}
 	} else if (no_acl_syscall_error(errno)) {
@@ -696,7 +697,7 @@ static uint32 recv_acl_access(int f, uchar *name_follows_ptr)
 static uchar recv_ida_entries(int f, ida_entries *ent)
 {
 	uchar computed_mask_bits = 0;
-	int i, count = read_varint(f);
+	int i, count = read_varint_bounded(f, 0, MAX_WIRE_ACL_COUNT, "ACL count");
 
 	ent->idas = count ? new_array(id_access, count) : NULL;
 	ent->count = count;
@@ -712,7 +713,7 @@ static uchar recv_ida_entries(int f, ida_entries *ent)
 			else
 				id = recv_group_name(f, id, NULL);
 		} else if (access & NAME_IS_USER) {
-			if (inc_recurse && am_root && !numeric_ids)
+			if (inc_recurse && !numeric_ids)
 				id = match_uid(id);
 		} else {
 			if (inc_recurse && (!am_root || !numeric_ids))

authenticate.c

@@ -2,7 +2,7 @@
  * Support rsync daemon authentication.
  *
  * Copyright (C) 1998-2000 Andrew Tridgell
- * Copyright (C) 2002-2020 Wayne Davison
+ * Copyright (C) 2002-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -24,6 +24,7 @@
 
 extern int read_only;
 extern char *password_file;
+extern struct name_num_obj valid_auth_checksums;
 
 /***************************************************************************
 encode a buffer using base64 - simple and slow algorithm. null terminates
@@ -72,9 +73,9 @@ static void gen_challenge(const char *addr, char *challenge)
 	SIVAL(input, 20, tv.tv_usec);
 	SIVAL(input, 24, getpid());
 
-	sum_init(-1, 0);
+	len = sum_init(valid_auth_checksums.negotiated_nni, 0);
 	sum_update(input, sizeof input);
-	len = sum_end(digest);
+	sum_end(digest);
 
 	base64_encode(digest, len, challenge, 0);
 }
@@ -86,10 +87,10 @@ static void generate_hash(const char *in, const char *challenge, char *out)
 	char buf[MAX_DIGEST_LEN];
 	int len;
 
-	sum_init(-1, 0);
+	len = sum_init(valid_auth_checksums.negotiated_nni, 0);
 	sum_update(in, strlen(in));
 	sum_update(challenge, strlen(challenge));
-	len = sum_end(buf);
+	sum_end(buf);
 
 	base64_encode(buf, len, out, 0);
 }
@@ -238,6 +239,7 @@ char *auth_server(int f_in, int f_out, int module, const char *host,
 	if (!users || !*users)
 		return "";
 
+	negotiate_daemon_auth(f_out, 0);
 	gen_challenge(addr, challenge);
 
 	io_printf(f_out, "%s%s\n", leader, challenge);
@@ -350,6 +352,7 @@ void auth_client(int fd, const char *user, const char *challenge)
 
 	if (!user || !*user)
 		user = "nobody";
+	negotiate_daemon_auth(-1, 1);
 
 	if (!(pass = getpassf(password_file))
 	 && !(pass = getenv("RSYNC_PASSWORD"))) {

backup.c

@@ -39,7 +39,7 @@ static int validate_backup_dir(void)
 {
 	STRUCT_STAT st;
 
-	if (do_lstat(backup_dir_buf, &st) < 0) {
+	if (do_lstat_at(backup_dir_buf, &st) < 0) {
 		if (errno == ENOENT)
 			return 0;
 		rsyserr(FERROR, errno, "backup lstat %s failed", backup_dir_buf);
@@ -98,7 +98,7 @@ static BOOL copy_valid_path(const char *fname)
 	for ( ; b; name = b + 1, b = strchr(name, '/')) {
 		*b = '\0';
 
-		while (do_mkdir(backup_dir_buf, ACCESSPERMS) < 0) {
+		while (do_mkdir_at(backup_dir_buf, ACCESSPERMS) < 0) {
 			if (errno == EEXIST) {
 				val = validate_backup_dir();
 				if (val > 0)
@@ -197,7 +197,7 @@ static inline int link_or_rename(const char *from, const char *to,
 		if (IS_SPECIAL(stp->st_mode) || IS_DEVICE(stp->st_mode))
 			return 0; /* Use copy code. */
 #endif
-		if (do_link(from, to) == 0) {
+		if (do_link_at(from, to) == 0) {
 			if (DEBUG_GTE(BACKUP, 1))
 				rprintf(FINFO, "make_backup: HLINK %s successful.\n", from);
 			return 2;
@@ -207,7 +207,7 @@ static inline int link_or_rename(const char *from, const char *to,
 			return 0;
 	}
 #endif
-	if (do_rename(from, to) == 0) {
+	if (do_rename_at(from, to) == 0) {
 		if (stp->st_nlink > 1 && !S_ISDIR(stp->st_mode)) {
 			/* If someone has hard-linked the file into the backup
 			 * dir, rename() might return success but do nothing! */
@@ -246,7 +246,7 @@ int make_backup(const char *fname, BOOL prefer_rename)
 		goto success;
 	if (errno == EEXIST || errno == EISDIR) {
 		STRUCT_STAT bakst;
-		if (do_lstat(buf, &bakst) == 0) {
+		if (do_lstat_at(buf, &bakst) == 0) {
 			int flags = get_del_for_flag(bakst.st_mode) | DEL_FOR_BACKUP | DEL_RECURSE;
 			if (delete_item(buf, bakst.st_mode, flags) != 0)
 				return 0;
@@ -277,7 +277,7 @@ int make_backup(const char *fname, BOOL prefer_rename)
 	/* Check to see if this is a device file, or link */
 	if ((am_root && preserve_devices && IS_DEVICE(file->mode))
 	 || (preserve_specials && IS_SPECIAL(file->mode))) {
-		if (do_mknod(buf, file->mode, sx.st.st_rdev) < 0)
+		if (do_mknod_at(buf, file->mode, sx.st.st_rdev) < 0)
 			rsyserr(FERROR, errno, "mknod %s failed", full_fname(buf));
 		else if (DEBUG_GTE(BACKUP, 1))
 			rprintf(FINFO, "make_backup: DEVICE %s successful.\n", fname);
@@ -294,7 +294,7 @@ int make_backup(const char *fname, BOOL prefer_rename)
 			}
 			ret = 2;
 		} else {
-			if (do_symlink(sl, buf) < 0)
+			if (do_symlink_at(sl, buf) < 0)
 				rsyserr(FERROR, errno, "link %s -> \"%s\"", full_fname(buf), sl);
 			else if (DEBUG_GTE(BACKUP, 1))
 				rprintf(FINFO, "make_backup: SYMLINK %s successful.\n", fname);

batch.c

@@ -3,7 +3,7 @@
  *
  * Copyright (C) 1999 Weiss
  * Copyright (C) 2004 Chris Shoemaker
- * Copyright (C) 2004-2020 Wayne Davison
+ * Copyright (C) 2004-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -194,7 +194,7 @@ static int write_opt(const char *opt, const char *arg)
 {
 	int len = strlen(opt);
 	int err = write(batch_sh_fd, " ", 1) != 1;
-	err = write(batch_sh_fd, opt, len) != len ? 1 : 0; 
+	err = write(batch_sh_fd, opt, len) != len ? 1 : 0;
 	if (arg) {
 		err |= write(batch_sh_fd, "=", 1) != 1;
 		err |= write_arg(arg);

byteorder.h

@@ -2,7 +2,7 @@
  * Simple byteorder handling.
  *
  * Copyright (C) 1992-1995 Andrew Tridgell
- * Copyright (C) 2007-2020 Wayne Davison
+ * Copyright (C) 2007-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -129,4 +129,3 @@ SIVAL(char *buf, int pos, uint32 val)
 {
 	SIVALu((uchar*)buf, pos, val);
 }
-

checksum.c

@@ -3,7 +3,7 @@
  *
  * Copyright (C) 1996 Andrew Tridgell
  * Copyright (C) 1996 Paul Mackerras
- * Copyright (C) 2004-2020 Wayne Davison
+ * Copyright (C) 2004-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -42,41 +42,94 @@ extern int protocol_version;
 extern int proper_seed_order;
 extern const char *checksum_choice;
 
-struct name_num_obj valid_checksums = {
-	"checksum", NULL, NULL, 0, 0, {
+#define NNI_BUILTIN (1<<0)
+#define NNI_EVP (1<<1)
+#define NNI_EVP_OK (1<<2)
+
+struct name_num_item valid_checksums_items[] = {
 #ifdef SUPPORT_XXH3
-		{ CSUM_XXH3_128, "xxh128", NULL },
-		{ CSUM_XXH3_64, "xxh3", NULL },
+	{ CSUM_XXH3_128, 0, "xxh128", NULL },
+	{ CSUM_XXH3_64, 0, "xxh3", NULL },
 #endif
 #ifdef SUPPORT_XXHASH
-		{ CSUM_XXH64, "xxh64", NULL },
-		{ CSUM_XXH64, "xxhash", NULL },
+	{ CSUM_XXH64, 0, "xxh64", NULL },
+	{ CSUM_XXH64, 0, "xxhash", NULL },
 #endif
-		{ CSUM_MD5, "md5", NULL },
-		{ CSUM_MD4, "md4", NULL },
-		{ CSUM_NONE, "none", NULL },
-		{ 0, NULL, NULL }
-	}
+	{ CSUM_MD5, NNI_BUILTIN|NNI_EVP, "md5", NULL },
+	{ CSUM_MD4, NNI_BUILTIN|NNI_EVP, "md4", NULL },
+#ifdef SHA_DIGEST_LENGTH
+	{ CSUM_SHA1, NNI_EVP, "sha1", NULL },
+#endif
+	{ CSUM_NONE, 0, "none", NULL },
+	{ 0, 0, NULL, NULL }
 };
 
-int xfersum_type = 0; /* used for the file transfer checksums */
-int checksum_type = 0; /* used for the pre-transfer (--checksum) checksums */
+struct name_num_obj valid_checksums = {
+	"checksum", NULL, 0, 0, valid_checksums_items
+};
 
-int parse_csum_name(const char *name, int len)
+struct name_num_item valid_auth_checksums_items[] = {
+#ifdef SHA512_DIGEST_LENGTH
+	{ CSUM_SHA512, NNI_EVP, "sha512", NULL },
+#endif
+#ifdef SHA256_DIGEST_LENGTH
+	{ CSUM_SHA256, NNI_EVP, "sha256", NULL },
+#endif
+#ifdef SHA_DIGEST_LENGTH
+	{ CSUM_SHA1, NNI_EVP, "sha1", NULL },
+#endif
+	{ CSUM_MD5, NNI_BUILTIN|NNI_EVP, "md5", NULL },
+	{ CSUM_MD4, NNI_BUILTIN|NNI_EVP, "md4", NULL },
+	{ 0, 0, NULL, NULL }
+};
+
+struct name_num_obj valid_auth_checksums = {
+	"daemon auth checksum", NULL, 0, 0, valid_auth_checksums_items
+};
+
+/* These cannot make use of openssl, so they're marked just as built-in */
+struct name_num_item implied_checksum_md4 =
+    { CSUM_MD4, NNI_BUILTIN, "md4", NULL };
+struct name_num_item implied_checksum_md5 =
+    { CSUM_MD5, NNI_BUILTIN, "md5", NULL };
+
+struct name_num_item *xfer_sum_nni; /* used for the transfer checksum2 computations */
+int xfer_sum_len;
+struct name_num_item *file_sum_nni; /* used for the pre-transfer --checksum computations */
+int file_sum_len, file_sum_extra_cnt;
+
+#ifdef USE_OPENSSL
+const EVP_MD *xfer_sum_evp_md;
+const EVP_MD *file_sum_evp_md;
+EVP_MD_CTX *ctx_evp = NULL;
+#endif
+
+static int initialized_choices = 0;
+
+struct name_num_item *parse_csum_name(const char *name, int len)
 {
 	struct name_num_item *nni;
 
 	if (len < 0 && name)
 		len = strlen(name);
 
+	init_checksum_choices();
+
 	if (!name || (len == 4 && strncasecmp(name, "auto", 4) == 0)) {
-		if (protocol_version >= 30)
-			return CSUM_MD5;
-		if (protocol_version >= 27)
-			return CSUM_MD4_OLD;
-		if (protocol_version >= 21)
-			return CSUM_MD4_BUSTED;
-		return CSUM_MD4_ARCHAIC;
+		if (protocol_version >= 30) {
+			if (!proper_seed_order)
+				return &implied_checksum_md5;
+			name = "md5";
+			len = 3;
+		} else {
+			if (protocol_version >= 27)
+				implied_checksum_md4.num = CSUM_MD4_OLD;
+			else if (protocol_version >= 21)
+				implied_checksum_md4.num = CSUM_MD4_BUSTED;
+			else
+				implied_checksum_md4.num = CSUM_MD4_ARCHAIC;
+			return &implied_checksum_md4;
+		}
 	}
 
 	nni = get_nni_by_name(&valid_checksums, name, len);
@@ -86,44 +139,74 @@ int parse_csum_name(const char *name, int len)
 		exit_cleanup(RERR_UNSUPPORTED);
 	}
 
-	return nni->num;
+	return nni;
 }
 
-static const char *checksum_name(int num)
+#ifdef USE_OPENSSL
+static const EVP_MD *csum_evp_md(struct name_num_item *nni)
 {
-	struct name_num_item *nni = get_nni_by_num(&valid_checksums, num);
+	const EVP_MD *emd;
+	if (!(nni->flags & NNI_EVP))
+		return NULL;
 
-	return nni ? nni->name : num < CSUM_MD4 ? "md4" : "UNKNOWN";
+#ifdef USE_MD5_ASM
+	if (nni->num == CSUM_MD5)
+		emd = NULL;
+	else
+#endif
+		emd = EVP_get_digestbyname(nni->name);                                               
+	if (emd && !(nni->flags & NNI_EVP_OK)) { /* Make sure it works before we advertise it */
+		if (!ctx_evp && !(ctx_evp = EVP_MD_CTX_create()))
+			out_of_memory("csum_evp_md");
+		/* Some routines are marked as legacy and are not enabled in the openssl.cnf file.
+		 * If we can't init the emd, we'll fall back to our built-in code. */
+		if (EVP_DigestInit_ex(ctx_evp, emd, NULL) == 0)
+			emd = NULL;
+		else
+			nni->flags = (nni->flags & ~NNI_BUILTIN) | NNI_EVP_OK;
+	}
+	if (!emd)
+		nni->flags &= ~NNI_EVP;
+	return emd;
 }
+#endif
 
 void parse_checksum_choice(int final_call)
 {
-	if (valid_checksums.negotiated_name)
-		xfersum_type = checksum_type = valid_checksums.negotiated_num;
+	if (valid_checksums.negotiated_nni)
+		xfer_sum_nni = file_sum_nni = valid_checksums.negotiated_nni;
 	else {
-		char *cp = checksum_choice ? strchr(checksum_choice, ',') : NULL;
+		const char *cp = checksum_choice ? strchr(checksum_choice, ',') : NULL;
 		if (cp) {
-			xfersum_type = parse_csum_name(checksum_choice, cp - checksum_choice);
-			checksum_type = parse_csum_name(cp+1, -1);
+			xfer_sum_nni = parse_csum_name(checksum_choice, cp - checksum_choice);
+			file_sum_nni = parse_csum_name(cp+1, -1);
 		} else
-			xfersum_type = checksum_type = parse_csum_name(checksum_choice, -1);
+			xfer_sum_nni = file_sum_nni = parse_csum_name(checksum_choice, -1);
 		if (am_server && checksum_choice)
-			validate_choice_vs_env(NSTR_CHECKSUM, xfersum_type, checksum_type);
+			validate_choice_vs_env(NSTR_CHECKSUM, xfer_sum_nni->num, file_sum_nni->num);
 	}
+	xfer_sum_len = csum_len_for_type(xfer_sum_nni->num, 0);
+	file_sum_len = csum_len_for_type(file_sum_nni->num, 0);
+#ifdef USE_OPENSSL
+	xfer_sum_evp_md = csum_evp_md(xfer_sum_nni);
+	file_sum_evp_md = csum_evp_md(file_sum_nni);
+#endif
 
-	if (xfersum_type == CSUM_NONE)
+	file_sum_extra_cnt = (file_sum_len + EXTRA_LEN - 1) / EXTRA_LEN;
+
+	if (xfer_sum_nni->num == CSUM_NONE)
 		whole_file = 1;
 
 	/* Snag the checksum name for both write_batch's option output & the following debug output. */
-	if (valid_checksums.negotiated_name)
-		checksum_choice = valid_checksums.negotiated_name;
+	if (valid_checksums.negotiated_nni)
+		checksum_choice = valid_checksums.negotiated_nni->name;
 	else if (checksum_choice == NULL)
-		checksum_choice = checksum_name(xfersum_type);
+		checksum_choice = xfer_sum_nni->name;
 
 	if (final_call && DEBUG_GTE(NSTR, am_server ? 3 : 1)) {
 		rprintf(FINFO, "%s%s checksum: %s\n",
 			am_server ? "Server" : "Client",
-			valid_checksums.negotiated_name ? " negotiated" : "",
+			valid_checksums.negotiated_nni ? " negotiated" : "",
 			checksum_choice);
 	}
 }
@@ -143,6 +226,18 @@ int csum_len_for_type(int cst, BOOL flist_csum)
 		return MD4_DIGEST_LEN;
 	  case CSUM_MD5:
 		return MD5_DIGEST_LEN;
+#ifdef SHA_DIGEST_LENGTH
+	  case CSUM_SHA1:
+		return SHA_DIGEST_LENGTH;
+#endif
+#ifdef SHA256_DIGEST_LENGTH
+	  case CSUM_SHA256:
+		return SHA256_DIGEST_LENGTH;
+#endif
+#ifdef SHA512_DIGEST_LENGTH
+	  case CSUM_SHA512:
+		return SHA512_DIGEST_LENGTH;
+#endif
 	  case CSUM_XXH64:
 	  case CSUM_XXH3_64:
 		return 64/8;
@@ -168,6 +263,9 @@ int canonical_checksum(int csum_type)
 		break;
 	  case CSUM_MD4:
 	  case CSUM_MD5:
+	  case CSUM_SHA1:
+	  case CSUM_SHA256:
+	  case CSUM_SHA512:
 		return -1;
 	  case CSUM_XXH64:
 	  case CSUM_XXH3_64:
@@ -179,7 +277,7 @@ int canonical_checksum(int csum_type)
 	return 0;
 }
 
-#ifndef HAVE_SIMD /* See simd-checksum-*.cpp. */
+#ifndef USE_ROLL_SIMD /* See simd-checksum-*.cpp. */
 /*
   a simple 32 bit checksum that can be updated from either end
   (inspired by Mark Adler's Adler-32 checksum)
@@ -204,7 +302,22 @@ uint32 get_checksum1(char *buf1, int32 len)
 
 void get_checksum2(char *buf, int32 len, char *sum)
 {
-	switch (xfersum_type) {
+#ifdef USE_OPENSSL
+	if (xfer_sum_evp_md) {
+		static EVP_MD_CTX *evp = NULL;
+		uchar seedbuf[4];
+		if (!evp && !(evp = EVP_MD_CTX_create()))
+			out_of_memory("get_checksum2");
+		EVP_DigestInit_ex(evp, xfer_sum_evp_md, NULL);
+		if (checksum_seed) {
+			SIVALu(seedbuf, 0, checksum_seed);
+			EVP_DigestUpdate(evp, seedbuf, 4);
+		}
+		EVP_DigestUpdate(evp, (uchar *)buf, len);
+		EVP_DigestFinal_ex(evp, (uchar *)sum, NULL);
+	} else
+#endif
+	switch (xfer_sum_nni->num) {
 #ifdef SUPPORT_XXHASH
 	  case CSUM_XXH64:
 		SIVAL64(sum, 0, XXH64(buf, len, checksum_seed));
@@ -222,40 +335,26 @@ void get_checksum2(char *buf, int32 len, char *sum)
 	  }
 #endif
 	  case CSUM_MD5: {
-		MD5_CTX m5;
+		md_context m5;
 		uchar seedbuf[4];
-		MD5_Init(&m5);
+		md5_begin(&m5);
 		if (proper_seed_order) {
 			if (checksum_seed) {
 				SIVALu(seedbuf, 0, checksum_seed);
-				MD5_Update(&m5, seedbuf, 4);
+				md5_update(&m5, seedbuf, 4);
 			}
-			MD5_Update(&m5, (uchar *)buf, len);
+			md5_update(&m5, (uchar *)buf, len);
 		} else {
-			MD5_Update(&m5, (uchar *)buf, len);
+			md5_update(&m5, (uchar *)buf, len);
 			if (checksum_seed) {
 				SIVALu(seedbuf, 0, checksum_seed);
-				MD5_Update(&m5, seedbuf, 4);
+				md5_update(&m5, seedbuf, 4);
 			}
 		}
-		MD5_Final((uchar *)sum, &m5);
+		md5_result(&m5, (uchar *)sum);
 		break;
 	  }
 	  case CSUM_MD4:
-#ifdef USE_OPENSSL
-	  {
-		MD4_CTX m4;
-		MD4_Init(&m4);
-		MD4_Update(&m4, (uchar *)buf, len);
-		if (checksum_seed) {
-			uchar seedbuf[4];
-			SIVALu(seedbuf, 0, checksum_seed);
-			MD4_Update(&m4, seedbuf, 4);
-		}
-		MD4_Final((uchar *)sum, &m4);
-		break;
-	  }
-#endif
 	  case CSUM_MD4_OLD:
 	  case CSUM_MD4_BUSTED:
 	  case CSUM_MD4_ARCHAIC: {
@@ -266,9 +365,8 @@ void get_checksum2(char *buf, int32 len, char *sum)
 
 		mdfour_begin(&m);
 
-		if (len > len1) {
-			if (buf1)
-				free(buf1);
+		if (len > len1 || !buf1) {
+			free(buf1);
 			buf1 = new_array(char, len+4);
 			len1 = len;
 		}
@@ -288,7 +386,7 @@ void get_checksum2(char *buf, int32 len, char *sum)
 		 * are multiples of 64.  This is fixed by calling mdfour_update()
 		 * even when there are no more bytes.
 		 */
-		if (len - i > 0 || xfersum_type > CSUM_MD4_BUSTED)
+		if (len - i > 0 || xfer_sum_nni->num > CSUM_MD4_BUSTED)
 			mdfour_update(&m, (uchar *)(buf1+i), len-i);
 
 		mdfour_result(&m, (uchar *)sum);
@@ -306,15 +404,33 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
 	int32 remainder;
 	int fd;
 
-	memset(sum, 0, MAX_DIGEST_LEN);
-
-	fd = do_open(fname, O_RDONLY, 0);
-	if (fd == -1)
+	fd = do_open_checklinks(fname);
+	if (fd == -1) {
+		memset(sum, 0, file_sum_len);
 		return;
+	}
 
 	buf = map_file(fd, len, MAX_MAP_SIZE, CHUNK_SIZE);
 
-	switch (checksum_type) {
+#ifdef USE_OPENSSL
+	if (file_sum_evp_md) {
+		static EVP_MD_CTX *evp = NULL;
+		if (!evp && !(evp = EVP_MD_CTX_create()))
+			out_of_memory("file_checksum");
+
+		EVP_DigestInit_ex(evp, file_sum_evp_md, NULL);
+
+		for (i = 0; i + CHUNK_SIZE <= len; i += CHUNK_SIZE)
+			EVP_DigestUpdate(evp, (uchar *)map_ptr(buf, i, CHUNK_SIZE), CHUNK_SIZE);
+
+		remainder = (int32)(len - i);
+		if (remainder > 0)
+			EVP_DigestUpdate(evp, (uchar *)map_ptr(buf, i, remainder), remainder);
+
+		EVP_DigestFinal_ex(evp, (uchar *)sum, NULL);
+	} else
+#endif
+	switch (file_sum_nni->num) {
 #ifdef SUPPORT_XXHASH
 	  case CSUM_XXH64: {
 		static XXH64_state_t* state = NULL;
@@ -374,38 +490,21 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
 	  }
 #endif
 	  case CSUM_MD5: {
-		MD5_CTX m5;
+		md_context m5;
 
-		MD5_Init(&m5);
+		md5_begin(&m5);
 
 		for (i = 0; i + CHUNK_SIZE <= len; i += CHUNK_SIZE)
-			MD5_Update(&m5, (uchar *)map_ptr(buf, i, CHUNK_SIZE), CHUNK_SIZE);
+			md5_update(&m5, (uchar *)map_ptr(buf, i, CHUNK_SIZE), CHUNK_SIZE);
 
 		remainder = (int32)(len - i);
 		if (remainder > 0)
-			MD5_Update(&m5, (uchar *)map_ptr(buf, i, remainder), remainder);
+			md5_update(&m5, (uchar *)map_ptr(buf, i, remainder), remainder);
 
-		MD5_Final((uchar *)sum, &m5);
+		md5_result(&m5, (uchar *)sum);
 		break;
 	  }
 	  case CSUM_MD4:
-#ifdef USE_OPENSSL
-	  {
-		MD4_CTX m4;
-
-		MD4_Init(&m4);
-
-		for (i = 0; i + CHUNK_SIZE <= len; i += CHUNK_SIZE)
-			MD4_Update(&m4, (uchar *)map_ptr(buf, i, CHUNK_SIZE), CHUNK_SIZE);
-
-		remainder = (int32)(len - i);
-		if (remainder > 0)
-			MD4_Update(&m4, (uchar *)map_ptr(buf, i, remainder), remainder);
-
-		MD4_Final((uchar *)sum, &m4);
-		break;
-	  }
-#endif
 	  case CSUM_MD4_OLD:
 	  case CSUM_MD4_BUSTED:
 	  case CSUM_MD4_ARCHAIC: {
@@ -413,15 +512,15 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
 
 		mdfour_begin(&m);
 
-		for (i = 0; i + CHUNK_SIZE <= len; i += CHUNK_SIZE)
-			mdfour_update(&m, (uchar *)map_ptr(buf, i, CHUNK_SIZE), CHUNK_SIZE);
+		for (i = 0; i + CSUM_CHUNK <= len; i += CSUM_CHUNK)
+			mdfour_update(&m, (uchar *)map_ptr(buf, i, CSUM_CHUNK), CSUM_CHUNK);
 
 		/* Prior to version 27 an incorrect MD4 checksum was computed
 		 * by failing to call mdfour_tail() for block sizes that
 		 * are multiples of 64.  This is fixed by calling mdfour_update()
 		 * even when there are no more bytes. */
 		remainder = (int32)(len - i);
-		if (remainder > 0 || checksum_type > CSUM_MD4_BUSTED)
+		if (remainder > 0 || file_sum_nni->num > CSUM_MD4_BUSTED)
 			mdfour_update(&m, (uchar *)map_ptr(buf, i, remainder), remainder);
 
 		mdfour_result(&m, (uchar *)sum);
@@ -429,7 +528,7 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
 	  }
 	  default:
 		rprintf(FERROR, "Invalid checksum-choice for --checksum: %s (%d)\n",
-			checksum_name(checksum_type), checksum_type);
+			file_sum_nni->name, file_sum_nni->num);
 		exit_cleanup(RERR_UNSUPPORTED);
 	}
 
@@ -438,30 +537,43 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
 }
 
 static int32 sumresidue;
-static union {
-	md_context md;
-#ifdef USE_OPENSSL
-	MD4_CTX m4;
-#endif
-	MD5_CTX m5;
-} ctx;
+static md_context ctx_md;
 #ifdef SUPPORT_XXHASH
 static XXH64_state_t* xxh64_state;
 #endif
 #ifdef SUPPORT_XXH3
 static XXH3_state_t* xxh3_state;
 #endif
-static int cursum_type;
+static struct name_num_item *cur_sum_nni;
+int cur_sum_len;
 
-void sum_init(int csum_type, int seed)
+#ifdef USE_OPENSSL
+static const EVP_MD *cur_sum_evp_md;
+#endif
+
+/* Initialize a hash digest accumulator.  Data is supplied via
+ * sum_update() and the resulting binary digest is retrieved via
+ * sum_end().  This only supports one active sum at a time. */
+int sum_init(struct name_num_item *nni, int seed)
 {
 	char s[4];
 
-	if (csum_type < 0)
-		csum_type = parse_csum_name(NULL, 0);
-	cursum_type = csum_type;
+	if (!nni)
+		nni = parse_csum_name(NULL, 0);
+	cur_sum_nni = nni;
+	cur_sum_len = csum_len_for_type(nni->num, 0);
+#ifdef USE_OPENSSL
+	cur_sum_evp_md = csum_evp_md(nni);
+#endif
 
-	switch (csum_type) {
+#ifdef USE_OPENSSL
+	if (cur_sum_evp_md) {
+		if (!ctx_evp && !(ctx_evp = EVP_MD_CTX_create()))
+			out_of_memory("file_checksum");
+		EVP_DigestInit_ex(ctx_evp, cur_sum_evp_md, NULL);
+	} else
+#endif
+	switch (cur_sum_nni->num) {
 #ifdef SUPPORT_XXHASH
 	  case CSUM_XXH64:
 		if (!xxh64_state && !(xxh64_state = XXH64_createState()))
@@ -482,20 +594,16 @@ void sum_init(int csum_type, int seed)
 		break;
 #endif
 	  case CSUM_MD5:
-		MD5_Init(&ctx.m5);
+		md5_begin(&ctx_md);
 		break;
 	  case CSUM_MD4:
-#ifdef USE_OPENSSL
-		MD4_Init(&ctx.m4);
-#else
-		mdfour_begin(&ctx.md);
+		mdfour_begin(&ctx_md);
 		sumresidue = 0;
-#endif
 		break;
 	  case CSUM_MD4_OLD:
 	  case CSUM_MD4_BUSTED:
 	  case CSUM_MD4_ARCHAIC:
-		mdfour_begin(&ctx.md);
+		mdfour_begin(&ctx_md);
 		sumresidue = 0;
 		SIVAL(s, 0, seed);
 		sum_update(s, 4);
@@ -505,19 +613,19 @@ void sum_init(int csum_type, int seed)
 	  default: /* paranoia to prevent missing case values */
 		exit_cleanup(RERR_UNSUPPORTED);
 	}
+
+	return cur_sum_len;
 }
 
-/**
- * Feed data into an MD4 accumulator, md.  The results may be
- * retrieved using sum_end().  md is used for different purposes at
- * different points during execution.
- *
- * @todo Perhaps get rid of md and just pass in the address each time.
- * Very slightly clearer and slower.
- **/
+/* Feed data into a hash digest accumulator. */
 void sum_update(const char *p, int32 len)
 {
-	switch (cursum_type) {
+#ifdef USE_OPENSSL
+	if (cur_sum_evp_md) {
+		EVP_DigestUpdate(ctx_evp, (uchar *)p, len);
+	} else
+#endif
+	switch (cur_sum_nni->num) {
 #ifdef SUPPORT_XXHASH
 	  case CSUM_XXH64:
 		XXH64_update(xxh64_state, p, len);
@@ -532,39 +640,35 @@ void sum_update(const char *p, int32 len)
 		break;
 #endif
 	  case CSUM_MD5:
-		MD5_Update(&ctx.m5, (uchar *)p, len);
+		md5_update(&ctx_md, (uchar *)p, len);
 		break;
 	  case CSUM_MD4:
-#ifdef USE_OPENSSL
-		MD4_Update(&ctx.m4, (uchar *)p, len);
-		break;
-#endif
 	  case CSUM_MD4_OLD:
 	  case CSUM_MD4_BUSTED:
 	  case CSUM_MD4_ARCHAIC:
 		if (len + sumresidue < CSUM_CHUNK) {
-			memcpy(ctx.md.buffer + sumresidue, p, len);
+			memcpy(ctx_md.buffer + sumresidue, p, len);
 			sumresidue += len;
 			break;
 		}
 
 		if (sumresidue) {
 			int32 i = CSUM_CHUNK - sumresidue;
-			memcpy(ctx.md.buffer + sumresidue, p, i);
-			mdfour_update(&ctx.md, (uchar *)ctx.md.buffer, CSUM_CHUNK);
+			memcpy(ctx_md.buffer + sumresidue, p, i);
+			mdfour_update(&ctx_md, (uchar *)ctx_md.buffer, CSUM_CHUNK);
 			len -= i;
 			p += i;
 		}
 
 		while (len >= CSUM_CHUNK) {
-			mdfour_update(&ctx.md, (uchar *)p, CSUM_CHUNK);
+			mdfour_update(&ctx_md, (uchar *)p, CSUM_CHUNK);
 			len -= CSUM_CHUNK;
 			p += CSUM_CHUNK;
 		}
 
 		sumresidue = len;
 		if (sumresidue)
-			memcpy(ctx.md.buffer, p, sumresidue);
+			memcpy(ctx_md.buffer, p, sumresidue);
 		break;
 	  case CSUM_NONE:
 		break;
@@ -573,13 +677,18 @@ void sum_update(const char *p, int32 len)
 	}
 }
 
-/* NOTE: all the callers of sum_end() pass in a pointer to a buffer that is
- * MAX_DIGEST_LEN in size, so even if the csum-len is shorter that that (i.e.
- * CSUM_MD4_ARCHAIC), we don't have to worry about limiting the data we write
- * into the "sum" buffer. */
-int sum_end(char *sum)
+/* The sum buffer only needs to be as long as the current checksum's digest
+ * len, not MAX_DIGEST_LEN. Note that for CSUM_MD4_ARCHAIC that is the full
+ * MD4_DIGEST_LEN even if the file-list code is going to ignore all but the
+ * first 2 bytes of it. */
+void sum_end(char *sum)
 {
-	switch (cursum_type) {
+#ifdef USE_OPENSSL
+	if (cur_sum_evp_md) {
+		EVP_DigestFinal_ex(ctx_evp, (uchar *)sum, NULL);
+	} else
+#endif
+	switch (cur_sum_nni->num) {
 #ifdef SUPPORT_XXHASH
 	  case CSUM_XXH64:
 		SIVAL64(sum, 0, XXH64_digest(xxh64_state));
@@ -597,22 +706,18 @@ int sum_end(char *sum)
 	  }
 #endif
 	  case CSUM_MD5:
-		MD5_Final((uchar *)sum, &ctx.m5);
+		md5_result(&ctx_md, (uchar *)sum);
 		break;
 	  case CSUM_MD4:
-#ifdef USE_OPENSSL
-		MD4_Final((uchar *)sum, &ctx.m4);
-		break;
-#endif
 	  case CSUM_MD4_OLD:
-		mdfour_update(&ctx.md, (uchar *)ctx.md.buffer, sumresidue);
-		mdfour_result(&ctx.md, (uchar *)sum);
+		mdfour_update(&ctx_md, (uchar *)ctx_md.buffer, sumresidue);
+		mdfour_result(&ctx_md, (uchar *)sum);
 		break;
 	  case CSUM_MD4_BUSTED:
 	  case CSUM_MD4_ARCHAIC:
 		if (sumresidue)
-			mdfour_update(&ctx.md, (uchar *)ctx.md.buffer, sumresidue);
-		mdfour_result(&ctx.md, (uchar *)sum);
+			mdfour_update(&ctx_md, (uchar *)ctx_md.buffer, sumresidue);
+		mdfour_result(&ctx_md, (uchar *)sum);
 		break;
 	  case CSUM_NONE:
 		*sum = '\0';
@@ -620,6 +725,74 @@ int sum_end(char *sum)
 	  default: /* paranoia to prevent missing case values */
 		exit_cleanup(RERR_UNSUPPORTED);
 	}
-
-	return csum_len_for_type(cursum_type, 0);
+}
+
+#if defined SUPPORT_XXH3 || defined USE_OPENSSL
+static void verify_digest(struct name_num_item *nni, BOOL check_auth_list)
+{
+#ifdef SUPPORT_XXH3
+	static int xxh3_result = 0;
+#endif
+#ifdef USE_OPENSSL
+	static int prior_num = 0, prior_flags = 0, prior_result = 0;
+#endif
+
+#ifdef SUPPORT_XXH3
+	if (nni->num == CSUM_XXH3_64 || nni->num == CSUM_XXH3_128) {
+		if (!xxh3_result) {
+			char buf[32816];
+			int j;
+			for (j = 0; j < (int)sizeof buf; j++)
+				buf[j] = ' ' + (j % 96);
+			sum_init(nni, 0);
+			sum_update(buf, 32816);
+			sum_update(buf, 31152);
+			sum_update(buf, 32474);
+			sum_update(buf, 9322);
+			xxh3_result = XXH3_64bits_digest(xxh3_state) != 0xadbcf16d4678d1de ? -1 : 1;
+		}
+		if (xxh3_result < 0)
+			nni->num = CSUM_gone;
+		return;
+	}
+#endif
+
+#ifdef USE_OPENSSL
+	if (BITS_SETnUNSET(nni->flags, NNI_EVP, NNI_BUILTIN|NNI_EVP_OK)) {
+		if (nni->num == prior_num && nni->flags == prior_flags) {
+			nni->flags = prior_result;
+			if (!(nni->flags & NNI_EVP))
+				nni->num = CSUM_gone;
+		} else {
+			prior_num = nni->num;
+			prior_flags = nni->flags;
+			if (!csum_evp_md(nni))
+				nni->num = CSUM_gone;
+			prior_result = nni->flags;
+			if (check_auth_list && (nni = get_nni_by_num(&valid_auth_checksums, prior_num)) != NULL)
+				verify_digest(nni, False);
+		}
+	}
+#endif
+}
+#endif
+
+void init_checksum_choices()
+{
+#if defined SUPPORT_XXH3 || defined USE_OPENSSL
+	struct name_num_item *nni;
+#endif
+
+	if (initialized_choices)
+		return;
+
+#if defined SUPPORT_XXH3 || defined USE_OPENSSL
+	for (nni = valid_checksums.list; nni->name; nni++)
+		verify_digest(nni, True);
+
+	for (nni = valid_auth_checksums.list; nni->name; nni++)
+		verify_digest(nni, False);
+#endif
+
+	initialized_choices = 1;
 }

cleanup.c

@@ -198,7 +198,7 @@ NORETURN void _exit_cleanup(int code, const char *file, int line)
 		switch_step++;
 
 		if (cleanup_fname)
-			do_unlink(cleanup_fname);
+			do_unlink_at(cleanup_fname);
 		if (exit_code)
 			kill_all(SIGUSR1);
 		if (cleanup_pid && cleanup_pid == getpid()) {

clientname.c

@@ -167,7 +167,7 @@ int read_proxy_protocol_header(int fd)
 			char sig[PROXY_V2_SIG_SIZE];
 			char ver_cmd;
 			char fam;
-			char len[2];
+			unsigned char len[2];
 			union {
 				struct {
 					char src_addr[4];

clientserver.c

@@ -30,6 +30,7 @@ extern int list_only;
 extern int am_sender;
 extern int am_server;
 extern int am_daemon;
+extern int am_chrooted;
 extern int am_root;
 extern int msgs2stderr;
 extern int rsync_port;
@@ -38,6 +39,7 @@ extern int ignore_errors;
 extern int preserve_xattrs;
 extern int kluge_around_eof;
 extern int munge_symlinks;
+extern int use_secure_symlinks;
 extern int open_noatime;
 extern int sanitize_paths;
 extern int numeric_ids;
@@ -67,6 +69,7 @@ extern uid_t our_uid;
 extern gid_t our_gid;
 
 char *auth_user;
+char *daemon_auth_choices;
 int read_only = 0;
 int module_id = -1;
 int pid_file_fd = -1;
@@ -149,13 +152,9 @@ int start_socket_client(char *host, int remote_argc, char *remote_argv[],
 static int exchange_protocols(int f_in, int f_out, char *buf, size_t bufsiz, int am_client)
 {
 	int remote_sub = -1;
-#if SUBPROTOCOL_VERSION != 0
-	int our_sub = protocol_version < PROTOCOL_VERSION ? 0 : SUBPROTOCOL_VERSION;
-#else
-	int our_sub = 0;
-#endif
+	int our_sub = get_subprotocol_version();
 
-	io_printf(f_out, "@RSYNCD: %d.%d\n", protocol_version, our_sub);
+	output_daemon_greeting(f_out, am_client);
 	if (!am_client) {
 		char *motd = lp_motd_file();
 		if (motd && *motd) {
@@ -187,16 +186,30 @@ static int exchange_protocols(int f_in, int f_out, char *buf, size_t bufsiz, int
 	}
 
 	if (remote_sub < 0) {
-		if (remote_protocol == 30) {
+		if (remote_protocol >= 30) {
 			if (am_client)
-				rprintf(FERROR, "rsync: server is speaking an incompatible beta of protocol 30\n");
+				rprintf(FERROR, "rsync: the server omitted the subprotocol value: %s\n", buf);
 			else
-				io_printf(f_out, "@ERROR: your client is speaking an incompatible beta of protocol 30\n");
+				io_printf(f_out, "@ERROR: your client omitted the subprotocol value: %s\n", buf);
 			return -1;
 		}
 		remote_sub = 0;
 	}
 
+	daemon_auth_choices = strchr(buf + 9, ' ');
+	if (daemon_auth_choices) {
+		char *cp;
+		daemon_auth_choices = strdup(daemon_auth_choices + 1);
+		if ((cp = strchr(daemon_auth_choices, '\n')) != NULL)
+			*cp = '\0';
+	} else if (remote_protocol > 31) {
+		if (am_client)
+			rprintf(FERROR, "rsync: the server omitted the digest name list: %s\n", buf);
+		else
+			io_printf(f_out, "@ERROR: your client omitted the digest name list: %s\n", buf);
+		return -1;
+	}
+
 	if (protocol_version > remote_protocol) {
 		protocol_version = remote_protocol;
 		if (remote_sub)
@@ -381,7 +394,7 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char
 
 	if (rl_nulls) {
 		for (i = 0; i < sargc; i++) {
-			if (!sargs[i]) /* stop at --protect-args NULL */
+			if (!sargs[i]) /* stop at --secluded-args NULL */
 				break;
 			write_sbuf(f_out, sargs[i]);
 			write_byte(f_out, 0);
@@ -429,7 +442,7 @@ static int read_arg_from_pipe(int fd, char *buf, int limit)
 }
 #endif
 
-static void set_env_str(const char *var, const char *str)
+void set_env_str(const char *var, const char *str)
 {
 #ifdef HAVE_SETENV
 	if (setenv(var, str, 1) < 0)
@@ -690,7 +703,7 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
 	int set_uid;
 	char *p, *err_msg = NULL;
 	char *name = lp_name(i);
-	int use_chroot = lp_use_chroot(i);
+	int use_chroot = lp_use_chroot(i); /* might be 1 (yes), 0 (no), or -1 (unset) */
 	int ret, pre_exec_arg_fd = -1, pre_exec_error_fd = -1;
 	int save_munge_symlinks;
 	pid_t pre_exec_pid = 0;
@@ -815,6 +828,20 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
 		io_printf(f_out, "@ERROR: no path setting.\n");
 		return -1;
 	}
+	if (use_chroot < 0) {
+		if (strstr(module_dir, "/./") != NULL)
+			use_chroot = 1; /* The module is expecting a chroot inner & outer path. */
+		else if (chroot("/") < 0) {
+			rprintf(FLOG, "chroot test failed: %s. "
+				      "Switching 'use chroot' from unset to false.\n",
+				      strerror(errno));
+			use_chroot = 0;
+		} else {
+			if (chdir("/") < 0)
+			    rsyserr(FLOG, errno, "chdir(\"/\") failed");
+			use_chroot = 1;
+		}
+	}
 	if (use_chroot) {
 		if ((p = strstr(module_dir, "/./")) != NULL) {
 			*p = '\0'; /* Temporary... */
@@ -951,29 +978,20 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
 	}
 
 	if (use_chroot) {
-		/*
-		 * XXX: The 'use chroot' flag is a fairly reliable
-		 * source of confusion, because it fails under two
-		 * important circumstances: running as non-root,
-		 * running on Win32 (or possibly others).  On the
-		 * other hand, if you are running as root, then it
-		 * might be better to always use chroot.
-		 *
-		 * So, perhaps if we can't chroot we should just issue
-		 * a warning, unless a "require chroot" flag is set,
-		 * in which case we fail.
-		 */
+		/* Cache timezone data before chroot makes /etc/localtime inaccessible */
+		tzset();
 		if (chroot(module_chdir)) {
-			rsyserr(FLOG, errno, "chroot %s failed", module_chdir);
+			rsyserr(FLOG, errno, "chroot(\"%s\") failed", module_chdir);
 			io_printf(f_out, "@ERROR: chroot failed\n");
 			return -1;
 		}
+		am_chrooted = 1;
 		module_chdir = module_dir;
 	}
 
 	if (!change_dir(module_chdir, CD_NORMAL))
 		return path_failure(f_out, module_chdir, True);
-	if (module_dirlen || (!use_chroot && !*lp_daemon_chroot()))
+	if (module_dirlen)
 		sanitize_paths = 1;
 
 	if ((munge_symlinks = lp_munge_symlinks(module_id)) < 0)
@@ -990,6 +1008,15 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
 		}
 	}
 
+	/* Enable secure symlink handling for any non-chrooted daemon module.
+	 * This prevents TOCTOU race attacks where an attacker could switch a
+	 * directory to a symlink between path validation and file open.
+	 * Match the gate used by the do_*_at() wrappers in syscall.c
+	 * (am_daemon && !am_chrooted) -- the protection has nothing to do
+	 * with symlink munging, so a module configured with
+	 * "munge symlinks = false" must still get the secure-open path. */
+	use_secure_symlinks = am_daemon && !am_chrooted;
+
 	if (gid_list.count) {
 		gid_t *gid_array = gid_list.items;
 		if (setgid(gid_array[0])) {
@@ -1285,11 +1312,51 @@ int start_daemon(int f_in, int f_out)
 	if (lp_proxy_protocol() && !read_proxy_protocol_header(f_in))
 		return -1;
 
+	/* Do reverse DNS lookup before chroot/setuid. The result is cached,
+	 * so the later client_name() call will use this cached value. This
+	 * ensures hostname-based ACLs work even when DNS is unavailable
+	 * after chroot.
+	 *
+	 * "reverse lookup" can be set globally OR per-module, so we also
+	 * scan each module: a deployment with "reverse lookup = no" in the
+	 * global section but "reverse lookup = yes" in a specific module
+	 * still triggers a post-chroot lookup at access-check time
+	 * (rsync_module() in this file), which would also fail in the
+	 * chroot and turn hostname-based deny rules into silent bypasses. */
+	{
+		int need_reverse = lp_reverse_lookup(-1);
+		int j, num_modules = lp_num_modules();
+		for (j = 0; !need_reverse && j < num_modules; j++) {
+			if (lp_reverse_lookup(j))
+				need_reverse = 1;
+		}
+		if (need_reverse)
+			(void)client_name(client_addr(f_in));
+	}
+
 	p = lp_daemon_chroot();
 	if (*p) {
 		log_init(0); /* Make use we've initialized syslog before chrooting. */
-		if (chroot(p) < 0 || chdir("/") < 0) {
-			rsyserr(FLOG, errno, "daemon chroot %s failed", p);
+		tzset();
+		if (chroot(p) < 0) {
+			rsyserr(FLOG, errno, "daemon chroot(\"%s\") failed", p);
+			return -1;
+		}
+		/* Deliberately do NOT set am_chrooted here.  am_chrooted
+		 * gates the per-module symlink-race defenses
+		 * (secure_relative_open() and the do_*_at() wrappers in
+		 * syscall.c) and means "the kernel is enforcing path
+		 * confinement at the module boundary".  The daemon chroot
+		 * confines path resolution to the daemon-chroot directory,
+		 * not to any individual module path -- modules sharing the
+		 * daemon chroot are still distinguishable filesystem
+		 * subtrees and a sender-controlled symlink in module A
+		 * could redirect a syscall to module B (or to other files
+		 * inside the daemon chroot) without the per-module
+		 * defenses.  Leave am_chrooted=0 here so secure_relative_open()
+		 * still fires for "use chroot = no" modules. */
+		if (chdir("/") < 0) {
+			rsyserr(FLOG, errno, "daemon chdir(\"/\") failed");
 			return -1;
 		}
 	}

compat.c

@@ -60,13 +60,16 @@ extern char *files_from;
 extern char *filesfrom_host;
 extern const char *checksum_choice;
 extern const char *compress_choice;
+extern char *daemon_auth_choices;
 extern filter_rule_list filter_list;
 extern int need_unsorted_flist;
 #ifdef ICONV_OPTION
 extern iconv_t ic_send, ic_recv;
 extern char *iconv_opt;
 #endif
-extern struct name_num_obj valid_checksums;
+extern struct name_num_obj valid_checksums, valid_auth_checksums;
+
+extern struct name_num_item *xfer_sum_nni;
 
 int remote_protocol = 0;
 int file_extra_cnt = 0; /* count of file-list extras that everyone gets */
@@ -79,6 +82,9 @@ int inplace_partial = 0;
 int do_negotiated_strings = 0;
 int xmit_id0_names = 0;
 
+struct name_num_item *xattr_sum_nni;
+int xattr_sum_len = 0;
+
 /* These index values are for the file-list's extra-attribute array. */
 int pathname_ndx, depth_ndx, atimes_ndx, crtimes_ndx, uid_ndx, gid_ndx, acls_ndx, xattrs_ndx, unsort_ndx;
 
@@ -91,19 +97,21 @@ int filesfrom_convert = 0;
 
 #define MAX_NSTR_STRLEN 256
 
-struct name_num_obj valid_compressions = {
-	"compress", NULL, NULL, 0, 0, {
+struct name_num_item valid_compressions_items[] = {
 #ifdef SUPPORT_ZSTD
-		{ CPRES_ZSTD, "zstd", NULL },
+	{ CPRES_ZSTD, 0, "zstd", NULL },
 #endif
 #ifdef SUPPORT_LZ4
-		{ CPRES_LZ4, "lz4", NULL },
+	{ CPRES_LZ4, 0, "lz4", NULL },
 #endif
-		{ CPRES_ZLIBX, "zlibx", NULL },
-		{ CPRES_ZLIB, "zlib", NULL },
-		{ CPRES_NONE, "none", NULL },
-		{ 0, NULL, NULL }
-	}
+	{ CPRES_ZLIBX, 0, "zlibx", NULL },
+	{ CPRES_ZLIB, 0, "zlib", NULL },
+	{ CPRES_NONE, 0, "none", NULL },
+	{ 0, 0, NULL, NULL }
+};
+
+struct name_num_obj valid_compressions = {
+	"compress", NULL, 0, 0, valid_compressions_items
 };
 
 #define CF_INC_RECURSE	 (1<<0)
@@ -123,13 +131,9 @@ static const char *client_info;
  * of that protocol for it to be advertised as available. */
 static void check_sub_protocol(void)
 {
-	char *dot;
+	const char *dot;
 	int their_protocol, their_sub;
-#if SUBPROTOCOL_VERSION != 0
-	int our_sub = protocol_version < PROTOCOL_VERSION ? 0 : SUBPROTOCOL_VERSION;
-#else
-	int our_sub = 0;
-#endif
+	int our_sub = get_subprotocol_version();
 
 	/* client_info starts with VER.SUB string if client is a pre-release. */
 	if (!(their_protocol = atoi(client_info))
@@ -176,8 +180,8 @@ void set_allow_inc_recurse(void)
 
 void parse_compress_choice(int final_call)
 {
-	if (valid_compressions.negotiated_name)
-		do_compression = valid_compressions.negotiated_num;
+	if (valid_compressions.negotiated_nni)
+		do_compression = valid_compressions.negotiated_nni->num;
 	else if (compress_choice) {
 		struct name_num_item *nni = get_nni_by_name(&valid_compressions, compress_choice, -1);
 		if (!nni) {
@@ -199,8 +203,8 @@ void parse_compress_choice(int final_call)
 		compress_choice = NULL;
 
 	/* Snag the compression name for both write_batch's option output & the following debug output. */
-	if (valid_compressions.negotiated_name)
-		compress_choice = valid_compressions.negotiated_name;
+	if (valid_compressions.negotiated_nni)
+		compress_choice = valid_compressions.negotiated_nni->name;
 	else if (compress_choice == NULL) {
 		struct name_num_item *nni = get_nni_by_num(&valid_compressions, do_compression);
 		compress_choice = nni ? nni->name : "UNKNOWN";
@@ -210,7 +214,7 @@ void parse_compress_choice(int final_call)
 	 && (do_compression != CPRES_NONE || do_compression_level != CLVL_NOT_SPECIFIED)) {
 		rprintf(FINFO, "%s%s compress: %s (level %d)\n",
 			am_server ? "Server" : "Client",
-			valid_compressions.negotiated_name ? " negotiated" : "",
+			valid_compressions.negotiated_nni ? " negotiated" : "",
 			compress_choice, do_compression_level);
 	}
 }
@@ -223,6 +227,8 @@ struct name_num_item *get_nni_by_name(struct name_num_obj *nno, const char *name
 		len = strlen(name);
 
 	for (nni = nno->list; nni->name; nni++) {
+		if (nni->num == CSUM_gone)
+			continue;
 		if (strncasecmp(name, nni->name, len) == 0 && nni->name[len] == '\0')
 			return nni;
 	}
@@ -257,10 +263,12 @@ static void init_nno_saw(struct name_num_obj *nno, int val)
 	if (!nno->saw) {
 		nno->saw = new_array0(uchar, nno->saw_len);
 
-		/* We'll take this opportunity to make sure that the main_name values are set right. */
+		/* We'll take this opportunity to set the main_nni values for duplicates. */
 		for (cnt = 1, nni = nno->list; nni->name; nni++, cnt++) {
+			if (nni->num == CSUM_gone)
+				continue;
 			if (nno->saw[nni->num])
-				nni->main_name = nno->list[nno->saw[nni->num]-1].name;
+				nni->main_nni = &nno->list[nno->saw[nni->num]-1];
 			else
 				nno->saw[nni->num] = cnt;
 		}
@@ -286,8 +294,8 @@ static int parse_nni_str(struct name_num_obj *nno, const char *from, char *tobuf
 				struct name_num_item *nni = get_nni_by_name(nno, tok, to - tok);
 				if (nni && !nno->saw[nni->num]) {
 					nno->saw[nni->num] = ++cnt;
-					if (nni->main_name) {
-						to = tok + strlcpy(tok, nni->main_name, tobuf_len - (tok - tobuf));
+					if (nni->main_nni) {
+						to = tok + strlcpy(tok, nni->main_nni->name, tobuf_len - (tok - tobuf));
 						if (to - tobuf >= tobuf_len) {
 							to = tok - 1;
 							break;
@@ -321,13 +329,44 @@ static int parse_nni_str(struct name_num_obj *nno, const char *from, char *tobuf
 	return to - tobuf;
 }
 
+static int parse_negotiate_str(struct name_num_obj *nno, char *tmpbuf)
+{
+	struct name_num_item *nni, *ret = NULL;
+	int best = nno->saw_len; /* We want best == 1 from the client list, so start with a big number. */
+	char *space, *tok = tmpbuf;
+	while (tok) {
+		while (*tok == ' ') tok++; /* Should be unneeded... */
+		if (!*tok)
+			break;
+		if ((space = strchr(tok, ' ')) != NULL)
+			*space = '\0';
+		nni = get_nni_by_name(nno, tok, -1);
+		if (space) {
+			*space = ' ';
+			tok = space + 1;
+		} else
+			tok = NULL;
+		if (!nni || !nno->saw[nni->num] || best <= nno->saw[nni->num])
+			continue;
+		ret = nni;
+		best = nno->saw[nni->num];
+		if (best == 1 || am_server) /* The server side stops at the first acceptable client choice */
+			break;
+	}
+	if (ret) {
+		free(nno->saw);
+		nno->saw = NULL;
+		nno->negotiated_nni = ret->main_nni ? ret->main_nni : ret;
+		return 1;
+	}
+	return 0;
+}
+
 /* This routine is always called with a tmpbuf of MAX_NSTR_STRLEN length, but the
  * buffer may be pre-populated with a "len" length string to use OR a len of -1
  * to tell us to read a string from the fd. */
 static void recv_negotiate_str(int f_in, struct name_num_obj *nno, char *tmpbuf, int len)
 {
-	struct name_num_item *ret = NULL;
-
 	if (len < 0)
 		len = read_vstring(f_in, tmpbuf, MAX_NSTR_STRLEN);
 
@@ -338,37 +377,8 @@ static void recv_negotiate_str(int f_in, struct name_num_obj *nno, char *tmpbuf,
 			rprintf(FINFO, "Server %s list (on client): %s\n", nno->type, tmpbuf);
 	}
 
-	if (len > 0) {
-		struct name_num_item *nni;
-		int best = nno->saw_len; /* We want best == 1 from the client list, so start with a big number. */
-		char *space, *tok = tmpbuf;
-		while (tok) {
-			while (*tok == ' ') tok++; /* Should be unneeded... */
-			if (!*tok)
-				break;
-			if ((space = strchr(tok, ' ')) != NULL)
-				*space = '\0';
-			nni = get_nni_by_name(nno, tok, -1);
-			if (space) {
-				*space = ' ';
-				tok = space + 1;
-			} else
-				tok = NULL;
-			if (!nni || !nno->saw[nni->num] || best <= nno->saw[nni->num])
-				continue;
-			ret = nni;
-			best = nno->saw[nni->num];
-			if (best == 1 || am_server) /* The server side stops at the first acceptable client choice */
-				break;
-		}
-		if (ret) {
-			free(nno->saw);
-			nno->saw = NULL;
-			nno->negotiated_name = ret->main_name ? ret->main_name : ret->name;
-			nno->negotiated_num = ret->num;
-			return;
-		}
-	}
+	if (len > 0 && parse_negotiate_str(nno, tmpbuf))
+		return;
 
 	if (!am_server || !do_negotiated_strings) {
 		char *cp = tmpbuf;
@@ -400,11 +410,11 @@ static const char *getenv_nstr(int ntype)
 	const char *env_str = getenv(ntype == NSTR_COMPRESS ? "RSYNC_COMPRESS_LIST" : "RSYNC_CHECKSUM_LIST");
 
 	/* When writing a batch file, we always negotiate an old-style choice. */
-	if (write_batch) 
+	if (write_batch)
 		env_str = ntype == NSTR_COMPRESS ? "zlib" : protocol_version >= 30 ? "md5" : "md4";
 
 	if (am_server && env_str) {
-		char *cp = strchr(env_str, '&');
+		const char *cp = strchr(env_str, '&');
 		if (cp)
 			env_str = cp + 1;
 	}
@@ -433,7 +443,7 @@ void validate_choice_vs_env(int ntype, int num1, int num2)
 		nno->saw[CSUM_MD4_ARCHAIC] = nno->saw[CSUM_MD4_BUSTED] = nno->saw[CSUM_MD4_OLD] = nno->saw[CSUM_MD4];
 
 	if (!nno->saw[num1] || (num2 >= 0 && !nno->saw[num2])) {
-		rprintf(FERROR, "Your --%s-choice value (%s) was refused by the server.\n", 
+		rprintf(FERROR, "Your --%s-choice value (%s) was refused by the server.\n",
 			ntype == NSTR_COMPRESS ? "compress" : "checksum",
 			ntype == NSTR_COMPRESS ? compress_choice : checksum_choice);
 		exit_cleanup(RERR_UNSUPPORTED);
@@ -464,8 +474,10 @@ int get_default_nno_list(struct name_num_obj *nno, char *to_buf, int to_buf_len,
 	init_nno_saw(nno, 0);
 
 	for (nni = nno->list, len = 0; nni->name; nni++) {
-		if (nni->main_name) {
-			if (!dup_markup)
+		if (nni->num == CSUM_gone)
+			continue;
+		if (nni->main_nni) {
+			if (!dup_markup || nni->main_nni->num == CSUM_gone)
 				continue;
 			delim = dup_markup;
 		}
@@ -523,6 +535,8 @@ static void negotiate_the_strings(int f_in, int f_out)
 {
 	/* We send all the negotiation strings before we start to read them to help avoid a slow startup. */
 
+	init_checksum_choices();
+
 	if (!checksum_choice)
 		send_negotiate_str(f_out, &valid_checksums, NSTR_CHECKSUM);
 
@@ -552,7 +566,7 @@ static void negotiate_the_strings(int f_in, int f_out)
 	/* If the other side is too old to negotiate, the above steps just made sure that
 	 * the env didn't disallow the old algorithm. Mark things as non-negotiated. */
 	if (!do_negotiated_strings)
-		valid_checksums.negotiated_name = valid_compressions.negotiated_name = NULL;
+		valid_checksums.negotiated_nni = valid_compressions.negotiated_nni = NULL;
 }
 
 void setup_protocol(int f_out,int f_in)
@@ -604,7 +618,7 @@ void setup_protocol(int f_out,int f_in)
 	if (remote_protocol < MIN_PROTOCOL_VERSION
 	 || remote_protocol > MAX_PROTOCOL_VERSION) {
 		rprintf(FERROR,"protocol version mismatch -- is your shell clean?\n");
-		rprintf(FERROR,"(see the rsync man page for an explanation)\n");
+		rprintf(FERROR,"(see the rsync manpage for an explanation)\n");
 		exit_cleanup(RERR_PROTOCOL);
 	}
 	if (remote_protocol < OLD_PROTOCOL_VERSION) {
@@ -801,11 +815,73 @@ void setup_protocol(int f_out,int f_in)
 		checksum_seed = read_int(f_in);
 	}
 
-	parse_checksum_choice(1); /* Sets checksum_type & xfersum_type */
+	parse_checksum_choice(1); /* Sets file_sum_nni & xfer_sum_nni */
 	parse_compress_choice(1); /* Sets do_compression */
 
+	/* TODO in the future allow this algorithm to be chosen somehow, but it can't get too
+	 * long or the size starts to cause a problem in the xattr abbrev/non-abbrev code. */
+	xattr_sum_nni = parse_csum_name(NULL, 0);
+	xattr_sum_len = csum_len_for_type(xattr_sum_nni->num, 0);
+
 	if (write_batch && !am_server)
 		write_batch_shell_file();
 
 	init_flist();
 }
+
+void output_daemon_greeting(int f_out, int am_client)
+{
+	char tmpbuf[MAX_NSTR_STRLEN];
+	int our_sub = get_subprotocol_version();
+
+	get_default_nno_list(&valid_auth_checksums, tmpbuf, MAX_NSTR_STRLEN, '\0');
+
+	io_printf(f_out, "@RSYNCD: %d.%d %s\n", protocol_version, our_sub, tmpbuf);
+
+	if (am_client && DEBUG_GTE(NSTR, 2))
+		rprintf(FINFO, "Client %s list (on client): %s\n", valid_auth_checksums.type, tmpbuf);
+}
+
+void negotiate_daemon_auth(int f_out, int am_client)
+{
+	char tmpbuf[MAX_NSTR_STRLEN];
+	int save_am_server = am_server;
+	int md4_is_old = 0;
+
+	if (!am_client)
+		am_server = 1;
+
+	if (daemon_auth_choices)
+		strlcpy(tmpbuf, daemon_auth_choices, MAX_NSTR_STRLEN);
+	else {
+		strlcpy(tmpbuf, protocol_version >= 30 ? "md5" : "md4", MAX_NSTR_STRLEN);
+		md4_is_old = 1;
+	}
+
+	if (am_client) {
+		recv_negotiate_str(-1, &valid_auth_checksums, tmpbuf, strlen(tmpbuf));
+		if (DEBUG_GTE(NSTR, 1)) {
+			rprintf(FINFO, "Client negotiated %s: %s\n", valid_auth_checksums.type,
+				valid_auth_checksums.negotiated_nni->name);
+		}
+	} else {
+		if (!parse_negotiate_str(&valid_auth_checksums, tmpbuf)) {
+			get_default_nno_list(&valid_auth_checksums, tmpbuf, MAX_NSTR_STRLEN, '\0');
+			io_printf(f_out, "@ERROR: your client does not support one of our daemon-auth checksums: %s\n",
+				  tmpbuf);
+			exit_cleanup(RERR_UNSUPPORTED);
+		}
+	}
+	am_server = save_am_server;
+	if (md4_is_old && valid_auth_checksums.negotiated_nni->num == CSUM_MD4)
+		valid_auth_checksums.negotiated_nni->num = CSUM_MD4_OLD;
+}
+
+int get_subprotocol_version()
+{
+#if SUBPROTOCOL_VERSION != 0
+	return protocol_version < PROTOCOL_VERSION ? 0 : SUBPROTOCOL_VERSION;
+#else
+	return 0;
+#endif
+}

configure.ac

@@ -4,7 +4,6 @@ AC_INIT([rsync],[ ],[https://rsync.samba.org/bug-tracking.html])
 
 AC_C_BIGENDIAN
 AC_HEADER_DIRENT
-AC_HEADER_TIME
 AC_HEADER_SYS_WAIT
 AC_CHECK_HEADERS(sys/fcntl.h sys/select.h fcntl.h sys/time.h sys/unistd.h \
     unistd.h utime.h compat.h sys/param.h ctype.h sys/wait.h sys/stat.h \
@@ -13,16 +12,17 @@ AC_CHECK_HEADERS(sys/fcntl.h sys/select.h fcntl.h sys/time.h sys/unistd.h \
     netdb.h malloc.h float.h limits.h iconv.h libcharset.h langinfo.h mcheck.h \
     sys/acl.h acl/libacl.h attr/xattr.h sys/xattr.h sys/extattr.h dl.h \
     popt.h popt/popt.h linux/falloc.h netinet/in_systm.h netgroup.h \
-    zlib.h xxhash.h openssl/md4.h openssl/md5.h zstd.h lz4.h sys/file.h)
+    zlib.h xxhash.h openssl/md4.h openssl/md5.h zstd.h lz4.h sys/file.h \
+    bsd/string.h)
 AC_CHECK_HEADERS([netinet/ip.h], [], [], [[#include <netinet/in.h>]])
 AC_HEADER_MAJOR_FIXED
 
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_SRCDIR([byteorder.h])
-AC_CONFIG_HEADER(config.h)
+AC_CONFIG_HEADERS([config.h])
 AC_PREREQ([2.69])
 
-PACKAGE_VERSION=`sed 's/.*"\(.*\)".*/\1/' <$srcdir/version.h`
+PACKAGE_VERSION=`sed -n 's/.*RSYNC_VERSION.*"\(.*\)".*/\1/p' <$srcdir/version.h`
 
 AC_MSG_NOTICE([Configuring rsync $PACKAGE_VERSION])
 
@@ -60,7 +60,6 @@ AC_PROG_AWK
 AC_PROG_EGREP
 AC_PROG_INSTALL
 AC_PROG_MKDIR_P
-AC_PROG_CC_STDC
 AC_SUBST(SHELL)
 AC_PATH_PROG([PERL], [perl])
 AC_PATH_PROG([PYTHON3], [python3])
@@ -83,7 +82,7 @@ if test x"$enable_profile" = x"yes"; then
 	CFLAGS="$CFLAGS -pg"
 fi
 
-AC_MSG_CHECKING([if md2man can create man pages])
+AC_MSG_CHECKING([if md2man can create manpages])
 if test x"$ac_cv_path_PYTHON3" = x; then
     AC_MSG_RESULT(no - python3 not found)
     md2man_works=no
@@ -101,7 +100,7 @@ fi
 
 AC_MSG_CHECKING([if we require man-page building])
 AC_ARG_ENABLE([md2man],
-	AS_HELP_STRING([--disable-md2man],[disable to omit man page creation]))
+	AS_HELP_STRING([--disable-md2man],[disable to omit manpage creation]))
 if test x"$enable_md2man" != x"no"; then
     if test -f "$srcdir/rsync.1"; then
 	AC_MSG_RESULT(optional)
@@ -109,7 +108,7 @@ if test x"$enable_md2man" != x"no"; then
 	AC_MSG_RESULT(required)
 	if test x"$md2man_works" = x"no"; then
 	    err_msg="$err_msg$nl- You need python3 and either the cmarkgfm OR commonmark python3 lib in order"
-	    err_msg="$err_msg$nl  to build man pages based on the git source (man pages are included in the"
+	    err_msg="$err_msg$nl  to build manpages based on the git source (manpages are included in the"
 	    err_msg="$err_msg$nl  official release tar files)."
 	    no_lib="$no_lib md2man"
 	fi
@@ -135,8 +134,18 @@ if test x"$GCC" = x"yes"; then
 	CFLAGS="$CFLAGS -Wall -W"
 fi
 
+AC_ARG_WITH(openssl-conf,
+	AS_HELP_STRING([--with-openssl-conf=PATH],[set default OPENSSL_CONF path for rsync]))
+case "$with_openssl_conf" in
+    *[^-/a-zA-Z0-9.,=@+_]*) AC_MSG_ERROR([Invalid path given to --with-openssl-conf]) ;;
+    /*) CFLAGS="$CFLAGS -DSET_OPENSSL_CONF=$with_openssl_conf" ;;
+    no|'') ;;
+    yes) AC_MSG_ERROR([No path given to --with-openssl-conf]) ;;
+    *) AC_MSG_ERROR([Non absolute path given to --with-openssl-conf]) ;;
+esac
+
 AC_ARG_WITH(rrsync,
-        AS_HELP_STRING([--with-rrsync],[also install the rrsync script and its man page]))
+        AS_HELP_STRING([--with-rrsync],[also install the rrsync script and its manpage]))
 if test x"$with_rrsync" != x"yes"; then
     with_rrsync=no
 else
@@ -152,10 +161,10 @@ AC_ARG_WITH(included-popt,
 AC_ARG_WITH(included-zlib,
         AS_HELP_STRING([--with-included-zlib],[use bundled zlib library, not from system]))
 
-AC_ARG_WITH(protected-args,
-        AS_HELP_STRING([--with-protected-args],[make --protected-args option the default]))
-if test x"$with_protected_args" = x"yes"; then
-	AC_DEFINE_UNQUOTED(RSYNC_USE_PROTECTED_ARGS, 1, [Define to 1 if --protected-args should be the default])
+AC_ARG_WITH(secluded-args,
+        AS_HELP_STRING([--with-secluded-args],[make --secluded-args option the default]))
+if test x"$with_secluded_args" = x"yes"; then
+	AC_DEFINE_UNQUOTED(RSYNC_USE_SECLUDED_ARGS, 1, [Define to 1 if --secluded-args should be the default])
 fi
 
 AC_ARG_WITH(rsync-path,
@@ -229,12 +238,12 @@ fi
 AC_DEFINE_UNQUOTED(NOBODY_USER, "$NOBODY_USER", [unprivileged user--e.g. nobody])
 AC_DEFINE_UNQUOTED(NOBODY_GROUP, "$NOBODY_GROUP", [unprivileged group for unprivileged user])
 
-# SIMD optimizations
-SIMD=
+# rolling-checksum SIMD optimizations
+ROLL_SIMD=
 
-AC_MSG_CHECKING([whether to enable SIMD optimizations])
-AC_ARG_ENABLE(simd,
-    AS_HELP_STRING([--enable-simd],[enable/disable to control SIMD optimizations (requires c++)]))
+AC_MSG_CHECKING([whether to enable rolling-checksum SIMD optimizations])
+AC_ARG_ENABLE(roll-simd,
+    AS_HELP_STRING([--enable-roll-simd],[enable/disable to control rolling-checksum SIMD optimizations (requires c++)]))
 
 # Clag is crashing with -g -O2, so we'll get rid of -g for now.
 CXXFLAGS=`echo "$CXXFLAGS" | sed 's/-g //'`
@@ -263,14 +272,14 @@ __attribute__ ((target("ssse3"))) void more_testing(char* buf, int len)
 }
 ]])
 
-if test x"$enable_simd" = x""; then
+if test x"$enable_roll_simd" = x""; then
     case "$host_os" in
 	*linux*) ;;
-	*) enable_simd=no ;;
+	*) enable_roll_simd=no ;;
     esac
 fi
 
-if test x"$enable_simd" != x"no"; then
+if test x"$enable_roll_simd" != x"no"; then
     # For x86-64 SIMD, g++ >=5 or clang++ >=7 is required
     if test x"$host_cpu" = x"x86_64" || test x"$host_cpu" = x"amd64"; then
 	AC_LANG(C++)
@@ -283,23 +292,23 @@ if test x"$enable_simd" != x"no"; then
 	AC_LANG(C)
 	if test x"$CXX_OK" = x"yes"; then
 	    # AC_MSG_RESULT() is called below.
-	    SIMD="$host_cpu"
-	elif test x"$enable_simd" = x"yes"; then
+	    ROLL_SIMD="$host_cpu"
+	elif test x"$enable_roll_simd" = x"yes"; then
 	    AC_MSG_RESULT(error)
-	    AC_MSG_ERROR(The SIMD compilation test failed.
-Omit --enable-simd to continue without it.)
+	    AC_MSG_ERROR(The rolling-checksum SIMD compilation test failed.
+Omit --enable-roll-simd to continue without it.)
 	fi
-    elif test x"$enable_simd" = x"yes"; then
+    elif test x"$enable_roll_simd" = x"yes"; then
         AC_MSG_RESULT(unavailable)
-        AC_MSG_ERROR(The SIMD optimizations are currently x86_64|amd64 only.
-Omit --enable-simd to continue without it.)
+        AC_MSG_ERROR(The rolling-checksum SIMD optimizations are currently x86_64|amd64 only.
+Omit --enable-roll-simd to continue without it.)
     fi
 fi
 
-if test x"$SIMD" != x""; then
-    AC_MSG_RESULT([yes ($SIMD)])
-    AC_DEFINE(HAVE_SIMD, 1, [Define to 1 to enable SIMD optimizations])
-    SIMD='$(SIMD_'"$SIMD)"
+if test x"$ROLL_SIMD" != x""; then
+    AC_MSG_RESULT([yes ($ROLL_SIMD)])
+    AC_DEFINE(USE_ROLL_SIMD, 1, [Define to 1 to enable rolling-checksum SIMD optimizations])
+    ROLL_SIMD='$(ROLL_SIMD_'"$ROLL_SIMD)"
     # We only use c++ for its target attribute dispatching, disable unneeded bulky features
     CXXFLAGS="$CXXFLAGS -fno-exceptions -fno-rtti"
     # Apple often has "g++" as a symlink for clang. Try to find out the truth.
@@ -311,7 +320,7 @@ else
     AC_MSG_RESULT(no)
 fi
 
-AC_SUBST(SIMD)
+AC_SUBST(ROLL_SIMD)
 
 AC_MSG_CHECKING([if assembler accepts noexecstack])
 OLD_CFLAGS="$CFLAGS"
@@ -322,52 +331,19 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ ]], [[return 0;]])],
 CFLAGS="$OLD_CFLAGS"
 AC_SUBST(NOEXECSTACK)
 
-ASM=
-
-AC_MSG_CHECKING([whether to enable ASM optimizations])
-AC_ARG_ENABLE(asm,
-    AS_HELP_STRING([--enable-asm],[enable/disable to control ASM optimizations]))
-
-if test x"$enable_asm" = x""; then
-    case "$host_os" in
-	*linux*) ;;
-	*) enable_asm=no ;;
-    esac
-fi
-
-if test x"$enable_asm" != x"no"; then
-    if test x"$host_cpu" = x"x86_64" || test x"$host_cpu" = x"amd64"; then
-	ASM="$host_cpu"
-    elif test x"$enable_asm" = x"yes"; then
-        AC_MSG_RESULT(unavailable)
-        AC_MSG_ERROR(The ASM optimizations are currently x86_64|amd64 only.
-Omit --enable-asm to continue without it.)
-    fi
-fi
-
-if test x"$ASM" != x""; then
-    AC_MSG_RESULT([yes ($ASM)])
-    AC_DEFINE(HAVE_ASM, 1, [Define to 1 to enable ASM optimizations])
-    ASM='$(ASM_'"$ASM)"
-else
-    AC_MSG_RESULT(no)
-fi
-
-AC_SUBST(ASM)
-
 # arrgh. libc in some old debian version screwed up the largefile
 # stuff, getting byte range locking wrong
 AC_CACHE_CHECK([for broken largefile support],rsync_cv_HAVE_BROKEN_LARGEFILE,[
 AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #define _FILE_OFFSET_BITS 64
-#include <stdio.h>
-#include <fcntl.h>
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
+$ac_includes_default
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#elif defined HAVE_SYS_FCNTL_H
+# include <sys/fcntl.h>
 #endif
+#ifdef HAVE_SYS_WAIT_H
 #include <sys/wait.h>
-#if HAVE_UNISTD_H
-#include <unistd.h>
 #endif
 
 int main(void)
@@ -412,7 +388,7 @@ AS_HELP_STRING([--disable-ipv6],[disable to omit ipv6 support]),
 	;;
   esac ],
 
-  AC_TRY_RUN([ /* AF_INET6 availability check */
+  AC_RUN_IFELSE([AC_LANG_SOURCE([[ /* AF_INET6 availability check */
 #include <stdlib.h>
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -423,11 +399,11 @@ main()
    else
      exit(0);
 }
-],
-  AC_MSG_RESULT(yes)
-  AC_DEFINE(INET6, 1, [true if you have IPv6]),
-  AC_MSG_RESULT(no),
-  AC_MSG_RESULT(no)
+]])],
+  [AC_MSG_RESULT(yes)
+  AC_DEFINE(INET6, 1, true if you have IPv6)],
+  [AC_MSG_RESULT(no)],
+  [AC_MSG_RESULT(no)]
 ))
 
 dnl Do you want to disable use of locale functions
@@ -457,7 +433,8 @@ if test x"$enable_openssl" != x"no"; then
     if test x"$ac_cv_header_openssl_md4_h" = x"yes" && test x"$ac_cv_header_openssl_md5_h" = x"yes"; then
       AC_MSG_RESULT(yes)
       AC_SEARCH_LIBS(MD5_Init, crypto,
-          [AC_DEFINE(USE_OPENSSL)],
+          [AC_DEFINE(USE_OPENSSL)
+	   enable_openssl=yes],
           [err_msg="$err_msg$nl- Failed to find MD5_Init function in openssl crypto lib.";
 	   no_lib="$no_lib openssl"])
     else
@@ -465,10 +442,67 @@ if test x"$enable_openssl" != x"no"; then
 	err_msg="$err_msg$nl- Failed to find openssl/md4.h and openssl/md5.h for openssl crypto lib support."
 	no_lib="$no_lib openssl"
     fi
+    if test x"$enable_md5_asm" != x"yes"; then
+	enable_md5_asm=no
+    fi
 else
     AC_MSG_RESULT(no)
 fi
 
+MD5_ASM=
+
+AC_MSG_CHECKING([whether to enable MD5 ASM optimizations])
+AC_ARG_ENABLE(md5-asm,
+    AS_HELP_STRING([--enable-md5-asm],[enable/disable to control MD5 ASM optimizations]))
+
+if test x"$enable_md5_asm" = x""; then
+    case "$host_os" in
+	*linux*) ;;
+	*) enable_md5_asm=no ;;
+    esac
+fi
+
+if test x"$enable_md5_asm" != x"no"; then
+    if test x"$host_cpu" = x"x86_64" || test x"$host_cpu" = x"amd64"; then
+	MD5_ASM="$host_cpu"
+    elif test x"$enable_md5_asm" = x"yes"; then
+        AC_MSG_RESULT(unavailable)
+        AC_MSG_ERROR(The ASM optimizations are currently x86_64|amd64 only.
+Omit --enable-md5-asm to continue without it.)
+    fi
+fi
+
+if test x"$MD5_ASM" != x""; then
+    AC_MSG_RESULT([yes ($MD5_ASM)])
+    AC_DEFINE(USE_MD5_ASM, 1, [Define to 1 to enable MD5 ASM optimizations])
+    MD5_ASM='$(MD5_ASM_'"$MD5_ASM)"
+else
+    AC_MSG_RESULT(no)
+fi
+
+AC_SUBST(MD5_ASM)
+
+ROLL_ASM=
+
+AC_MSG_CHECKING([whether to enable rolling-checksum ASM optimizations])
+AC_ARG_ENABLE(roll-asm,
+    AS_HELP_STRING([--enable-roll-asm],[enable/disable to control rolling-checksum ASM optimizations (requires --enable-roll-simd)]))
+
+if test x"$ROLL_SIMD" = x""; then
+    enable_roll_asm=no
+fi
+
+if test x"$enable_roll_asm" = x"yes"; then
+    ROLL_ASM="$host_cpu"
+    AC_MSG_RESULT([yes ($ROLL_ASM)])
+    AC_DEFINE(USE_ROLL_ASM, 1, [Define to 1 to enable rolling-checksum ASM optimizations (requires --enable-roll-simd)])
+    ROLL_ASM='$(ROLL_ASM_'"$ROLL_ASM)"
+else
+    AC_MSG_RESULT(no)
+fi
+
+AC_SUBST(ROLL_ASM)
+
 AC_MSG_CHECKING([whether to enable xxhash checksum support])
 AC_ARG_ENABLE([xxhash],
 	AS_HELP_STRING([--disable-xxhash],[disable to omit xxhash checksums]))
@@ -492,7 +526,7 @@ fi
 
 AC_MSG_CHECKING([whether to enable zstd compression])
 AC_ARG_ENABLE([zstd],
-        AC_HELP_STRING([--disable-zstd], [disable to omit zstd compression]))
+        AS_HELP_STRING([--disable-zstd], [disable to omit zstd compression]))
 AH_TEMPLATE([SUPPORT_ZSTD],
 [Undefine if you do not want zstd compression.  By default this is defined.])
 if test x"$enable_zstd" != x"no"; then
@@ -513,7 +547,7 @@ fi
 
 AC_MSG_CHECKING([whether to enable LZ4 compression])
 AC_ARG_ENABLE([lz4],
-        AC_HELP_STRING([--disable-lz4], [disable to omit LZ4 compression]))
+        AS_HELP_STRING([--disable-lz4], [disable to omit LZ4 compression]))
 AH_TEMPLATE([SUPPORT_LZ4],
 [Undefine if you do not want LZ4 compression.  By default this is defined.])
 if test x"$enable_lz4" != x"no"; then
@@ -538,7 +572,7 @@ if test x"$no_lib" != x; then
     echo "$err_msg"
     echo ""
     echo "See the INSTALL file for hints on how to install the missing libraries and/or"
-    echo "how to generate (or fetch) man pages:"
+    echo "how to generate (or fetch) manpages:"
     echo "    https://github.com/WayneD/rsync/blob/master/INSTALL.md"
     echo ""
     echo "To disable one or more features, the relevant configure options are:"
@@ -599,7 +633,11 @@ fi
 
 AC_TYPE_UID_T
 AC_CHECK_TYPES([mode_t,off_t,size_t,pid_t,id_t])
-AC_TYPE_GETGROUPS
+if test "$cross_compiling" = no; then
+    AC_TYPE_GETGROUPS
+else
+    AC_DEFINE([GETGROUPS_T],[gid_t],[Define to the type of elements in the array set by `getgroups'. Usually this is either `int' or `gid_t'.])
+fi
 AC_CHECK_MEMBERS([struct stat.st_rdev,
 		  struct stat.st_mtimensec,
 		  struct stat.st_mtimespec.tv_nsec,
@@ -1041,21 +1079,6 @@ elif test x"$ac_cv_header_popt_h" != x"yes"; then
     with_included_popt=yes
 fi
 
-if test x"$GCC" = x"yes"; then
-    if test x"$with_included_popt" != x"yes"; then
-	# Turn pedantic warnings into errors to ensure an array-init overflow is an error.
-	CFLAGS="$CFLAGS -pedantic-errors"
-    else
-	# Our internal popt code cannot be compiled with pedantic warnings as errors, so try to
-	# turn off pedantic warnings (which will not lose the error for array-init overflow).
-	# Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists
-	# -Wpedantic and use that as a flag.
-	case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in
-	    *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;;
-	esac
-    fi
-fi
-
 AC_MSG_CHECKING([whether to use included libpopt])
 if test x"$with_included_popt" = x"yes"; then
     AC_MSG_RESULT($srcdir/popt)
@@ -1092,7 +1115,7 @@ else
 fi
 
 AC_CACHE_CHECK([for unsigned char],rsync_cv_SIGNED_CHAR_OK,[
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[signed char *s = ""]])],[rsync_cv_SIGNED_CHAR_OK=yes],[rsync_cv_SIGNED_CHAR_OK=no])])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[signed char *s = (signed char *)""]])],[rsync_cv_SIGNED_CHAR_OK=yes],[rsync_cv_SIGNED_CHAR_OK=no])])
 if test x"$rsync_cv_SIGNED_CHAR_OK" = x"yes"; then
     AC_DEFINE(SIGNED_CHAR_OK, 1, [Define to 1 if "signed char" is a valid type])
 fi
@@ -1367,7 +1390,7 @@ else
 	AC_DEFINE(HAVE_LINUX_XATTRS, 1, [True if you have Linux xattrs (or equivalent)])
 	AC_DEFINE(SUPPORT_XATTRS, 1)
 	AC_DEFINE(NO_SYMLINK_USER_XATTRS, 1, [True if symlinks do not support user xattrs])
-	AC_CHECK_LIB(attr,getxattr)
+	AC_SEARCH_LIBS(getxattr,attr)
 	;;
     darwin*)
 	AC_MSG_RESULT(Using OS X xattrs)

csprotocol.txt

@@ -7,39 +7,54 @@ basically a summary of clientserver.c and authenticate.c.
 This is the protocol used for rsync --daemon; i.e. connections to port
 873 rather than invocations over a remote shell.
 
-When the server accepts a connection, it prints a greeting
+When the server accepts a connection, it prints a newline-terminated
+greeting line:
 
-  @RSYNCD: <version>.<subprotocol>
+  @RSYNCD: <version>.<subprotocol> <digest1> <digestN>
 
-where <version> is the numeric version (see PROTOCOL_VERSION in rsync.h)
-'.' is a literal period, and <subprotocol> is the numeric subprotocol
-version (see SUBPROTOCOL_VERSION -- it will be 0 for final releases).
-Protocols prior to 30 only output <version> alone.  The daemon expects
-to see a similar greeting back from the client.  For protocols prior to
-30, an absent ".<subprotocol>" value is assumed to be 0.  For protocol
-30, an absent value is a fatal error.  The daemon then follows this line
-with a free-format text message-of-the-day (if any is defined).
+The <version> is the numeric version (see PROTOCOL_VERSION in rsync.h)
+The <subprotocol> is the numeric subprotocol version (which is 0 for a
+final protocol version, as the SUBPROTOCOL_VERSION define discusses).
+The <digestN> names are the authentication digest algorithms that the
+daemon supports, listed in order of preference.
+
+An rsync prior to 3.2.7 omits the digest names.  An rsync prior to 3.0.0
+also omits the period and the <subprotocol> value.  Since a final
+protocol has a subprotocol value of 0, a missing subprotocol value is
+assumed to be 0 for any protocol prior to 30.  It is considered a fatal
+error for protocol 30 and above to omit it.  It is considered a fatal
+error for protocol 32 and above to omit the digest name list (currently
+31 is the newest protocol).
+
+The daemon expects to see a similar greeting line back from the client.
+Once received, the daemon follows the opening line with a free-format
+text message-of-the-day (if any is defined).
 
 The server is now in the connected state.  The client can either send
-the command
+the command:
 
   #list
 
-to get a listing of modules, or the name of a module.  After this, the
+(to get a listing of modules) or the name of a module.  After this, the
 connection is now bound to a particular module.  Access per host for
 this module is now checked, as is per-module connection limits.
 
-If authentication is required to use this module, the server will say
+If authentication is required to use this module, the server will say:
 
   @RSYNCD: AUTHREQD <challenge>
 
 where <challenge> is a random string of base64 characters.  The client
-must respond with
+must respond with:
 
   <user> <response>
 
-where <user> is the username they claim to be, and <response> is the
-base64 form of the MD4 hash of challenge+password.
+The <user> is the username they claim to be. The <response> is the
+base64 form of the digest hash of the challenge+password string. The
+chosen digest method is the most preferred client method that is also in
+the server's list.  If no digest list was explicitly provided, the side
+expecting a list assumes the other side provided either the single name
+"md5" (for a negotiated protocol 30 or 31), or the single name "md4"
+(for an older protocol).
 
 At this point the server applies all remaining constraints before
 handing control to the client, including switching uid/gid, setting up
@@ -76,6 +91,13 @@ stay tuned (or write it yourself!).
 ------------
 Protocol version changes
 
+31	(2013-09-28, 3.1.0)
+
+	Initial release of protocol 31 had no changes.  Rsync 3.2.7
+	introduced the suffixed list of digest names on the greeting
+	line.  The presence of the list is allowed even if the greeting
+	indicates an older protocol version number.
+
 30	(2007-10-04, 3.0.0pre1)
 
 	The use of a ".<subprotocol>" number was added to

daemon-parm.txt

@@ -60,9 +60,9 @@ BOOL	read_only		True
 BOOL	reverse_lookup		True
 BOOL	strict_modes		True
 BOOL	transfer_logging	False
-BOOL	use_chroot		True
 BOOL	write_only		False
 
 BOOL3	munge_symlinks		Unset
 BOOL3	numeric_ids		Unset
 BOOL3	open_noatime		Unset
+BOOL3	use_chroot		Unset

delete.c

@@ -98,7 +98,7 @@ static enum delret delete_dir_contents(char *fname, uint16 flags)
 
 		strlcpy(p, fp->basename, remainder);
 		if (!(fp->mode & S_IWUSR) && !am_root && fp->flags & FLAG_OWNED_BY_US)
-			do_chmod(fname, fp->mode | S_IWUSR);
+			do_chmod_at(fname, fp->mode | S_IWUSR);
 		/* Save stack by recursing to ourself directly. */
 		if (S_ISDIR(fp->mode)) {
 			if (delete_dir_contents(fname, flags | DEL_RECURSE) != DR_SUCCESS)
@@ -139,7 +139,7 @@ enum delret delete_item(char *fbuf, uint16 mode, uint16 flags)
 	}
 
 	if (flags & DEL_NO_UID_WRITE)
-		do_chmod(fbuf, mode | S_IWUSR);
+		do_chmod_at(fbuf, mode | S_IWUSR);
 
 	if (S_ISDIR(mode) && !(flags & DEL_DIR_IS_EMPTY)) {
 		/* This only happens on the first call to delete_item() since
@@ -160,7 +160,7 @@ enum delret delete_item(char *fbuf, uint16 mode, uint16 flags)
 
 	if (S_ISDIR(mode)) {
 		what = "rmdir";
-		ok = do_rmdir(fbuf) == 0;
+		ok = do_rmdir_at(fbuf) == 0;
 	} else {
 		if (make_backups > 0 && !(flags & DEL_FOR_BACKUP) && (backup_dir || !is_backup_file(fbuf))) {
 			what = "make_backup";

exclude.c

@@ -4,7 +4,7 @@
  * Copyright (C) 1996-2001 Andrew Tridgell <tridge@samba.org>
  * Copyright (C) 1996 Paul Mackerras
  * Copyright (C) 2002 Martin Pool
- * Copyright (C) 2003-2020 Wayne Davison
+ * Copyright (C) 2003-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -25,16 +25,21 @@
 
 extern int am_server;
 extern int am_sender;
+extern int am_generator;
 extern int eol_nulls;
 extern int io_error;
+extern int xfer_dirs;
+extern int recurse;
 extern int local_server;
 extern int prune_empty_dirs;
 extern int ignore_perishable;
+extern int relative_paths;
 extern int delete_mode;
 extern int delete_excluded;
 extern int cvs_exclude;
 extern int sanitize_paths;
 extern int protocol_version;
+extern int trust_sender_args;
 extern int module_id;
 
 extern char curr_dir[MAXPATHLEN];
@@ -44,8 +49,11 @@ extern unsigned int module_dirlen;
 filter_rule_list filter_list = { .debug_type = "" };
 filter_rule_list cvs_filter_list = { .debug_type = " [global CVS]" };
 filter_rule_list daemon_filter_list = { .debug_type = " [daemon]" };
+filter_rule_list implied_filter_list = { .debug_type = " [implied]" };
 
 int saw_xattr_filter = 0;
+int trust_sender_args = 0;
+int trust_sender_filter = 0;
 
 /* Need room enough for ":MODS " prefix plus some room to grow. */
 #define MAX_RULE_PREFIX (16)
@@ -70,6 +78,10 @@ static filter_rule **mergelist_parents;
 static int mergelist_cnt = 0;
 static int mergelist_size = 0;
 
+#define LOCAL_RULE   1
+#define REMOTE_RULE  2
+static uchar cur_elide_value = REMOTE_RULE;
+
 /* Each filter_list_struct describes a singly-linked list by keeping track
  * of both the head and tail pointers.  The list is slightly unusual in that
  * a parent-dir's content can be appended to the end of the local list in a
@@ -152,13 +164,17 @@ static void add_rule(filter_rule_list *listp, const char *pat, unsigned int pat_
 {
 	const char *cp;
 	unsigned int pre_len, suf_len, slash_cnt = 0;
+	char *mention_rule_suffix;
 
-	if (DEBUG_GTE(FILTER, 2)) {
-		rprintf(FINFO, "[%s] add_rule(%s%.*s%s)%s\n",
+	if (DEBUG_GTE(FILTER, 1) && pat_len && (pat[pat_len-1] == ' ' || pat[pat_len-1] == '\t'))
+		mention_rule_suffix = " -- CAUTION: trailing whitespace!";
+	else
+		mention_rule_suffix = DEBUG_GTE(FILTER, 2) ? "" : NULL;
+	if (mention_rule_suffix) {
+		rprintf(FINFO, "[%s] add_rule(%s%.*s%s)%s%s\n",
 			who_am_i(), get_rule_prefix(rule, pat, 0, NULL),
-			(int)pat_len, pat,
-			(rule->rflags & FILTRULE_DIRECTORY) ? "/" : "",
-			listp->debug_type);
+			(int)pat_len, pat, (rule->rflags & FILTRULE_DIRECTORY) ? "/" : "",
+			listp->debug_type, mention_rule_suffix);
 	}
 
 	/* These flags also indicate that we're reading a list that
@@ -208,6 +224,7 @@ static void add_rule(filter_rule_list *listp, const char *pat, unsigned int pat_
 				slash_cnt++;
 		}
 	}
+	rule->elide = 0;
 	strlcpy(rule->pattern + pre_len, pat, pat_len + 1);
 	pat_len += pre_len;
 	if (suf_len) {
@@ -288,6 +305,271 @@ static void add_rule(filter_rule_list *listp, const char *pat, unsigned int pat_
 	}
 }
 
+/* If the wildcards failed, the remote shell might give us a file matching the literal
+ * wildcards.  Since "*" & "?" already match themselves, this just needs to deal with
+ * failed "[foo]" idioms.
+ */
+static void maybe_add_literal_brackets_rule(filter_rule const *based_on, int arg_len)
+{
+	filter_rule *rule;
+	const char *arg = based_on->pattern, *cp;
+	char *p;
+	int cnt = 0;
+
+	if (arg_len < 0)
+		arg_len = strlen(arg);
+
+	for (cp = arg; *cp; cp++) {
+		if (*cp == '\\' && cp[1]) {
+			cp++;
+		} else if (*cp == '[')
+			cnt++;
+	}
+	if (!cnt)
+		return;
+
+	rule = new0(filter_rule);
+	rule->rflags = based_on->rflags;
+	rule->u.slash_cnt = based_on->u.slash_cnt;
+	p = rule->pattern = new_array(char, arg_len + cnt + 1);
+	for (cp = arg; *cp; ) {
+		if (*cp == '\\' && cp[1]) {
+			*p++ = *cp++;
+		} else if (*cp == '[')
+			*p++ = '\\';
+		*p++ = *cp++;
+	}
+	*p++ = '\0';
+
+	rule->next = implied_filter_list.head;
+	implied_filter_list.head = rule;
+	if (DEBUG_GTE(FILTER, 3)) {
+		rprintf(FINFO, "[%s] add_implied_include(%s%s)\n", who_am_i(), rule->pattern,
+			rule->rflags & FILTRULE_DIRECTORY ? "/" : "");
+	}
+}
+
+static char *partial_string_buf = NULL;
+static int partial_string_len = 0;
+void implied_include_partial_string(const char *s_start, const char *s_end)
+{
+	partial_string_len = s_end - s_start;
+	if (partial_string_len <= 0 || partial_string_len >= MAXPATHLEN) { /* too-large should be impossible... */
+		partial_string_len = 0;
+		return;
+	}
+	if (!partial_string_buf)
+		partial_string_buf = new_array(char, MAXPATHLEN);
+	memcpy(partial_string_buf, s_start, partial_string_len);
+}
+
+void free_implied_include_partial_string()
+{
+	if (partial_string_buf) {
+		if (partial_string_len)
+			add_implied_include("", 0);
+		free(partial_string_buf);
+		partial_string_buf = NULL;
+	}
+	partial_string_len = 0; /* paranoia */
+}
+
+/* Each arg the client sends to the remote sender turns into an implied include
+ * that the receiver uses to validate the file list from the sender. */
+void add_implied_include(const char *arg, int skip_daemon_module)
+{
+	int arg_len, saw_wild = 0, saw_live_open_brkt = 0, backslash_cnt = 0;
+	int slash_cnt = 0;
+	const char *cp;
+	char *p;
+	if (trust_sender_args)
+		return;
+	if (partial_string_len) {
+		arg_len = strlen(arg);
+		if (partial_string_len + arg_len >= MAXPATHLEN) {
+			partial_string_len = 0;
+			return; /* Should be impossible... */
+		}
+		memcpy(partial_string_buf + partial_string_len, arg, arg_len + 1);
+		partial_string_len = 0;
+		arg = partial_string_buf;
+	}
+	if (skip_daemon_module) {
+		if ((cp = strchr(arg, '/')) != NULL)
+			arg = cp + 1;
+		else
+			arg = "";
+	}
+	if (relative_paths) {
+		if ((cp = strstr(arg, "/./")) != NULL)
+			arg = cp + 3;
+	} else if ((cp = strrchr(arg, '/')) != NULL) {
+		arg = cp + 1;
+	}
+	if (*arg == '.' && arg[1] == '\0')
+		arg++;
+	arg_len = strlen(arg);
+	if (arg_len) {
+		char *new_pat;
+		if (strpbrk(arg, "*[?")) {
+			/* We need to add room to escape backslashes if wildcard chars are present. */
+			for (cp = arg; (cp = strchr(cp, '\\')) != NULL; cp++)
+				arg_len++;
+			saw_wild = 1;
+		}
+		arg_len++; /* Leave room for the prefixed slash */
+		p = new_pat = new_array(char, arg_len + 1);
+		*p++ = '/';
+		slash_cnt++;
+		for (cp = arg; *cp; ) {
+			switch (*cp) {
+			  case '\\':
+				if (cp[1] == ']') {
+					if (!saw_wild)
+						cp++; /* A \] in a non-wild filter causes a problem, so drop the \ . */
+				} else if (!strchr("*[?", cp[1])) {
+					backslash_cnt++;
+					if (saw_wild)
+						*p++ = '\\';
+				}
+				*p++ = *cp++;
+				break;
+			  case '/':
+				if (p[-1] == '/') { /* This is safe because of the initial slash. */
+					if (*++cp == '\0') {
+						slash_cnt--;
+						p--;
+					}
+				} else if (cp[1] == '\0') {
+					cp++;
+				} else {
+					slash_cnt++;
+					*p++ = *cp++;
+				}
+				break;
+			  case '.':
+				if (p[-1] == '/') {
+					if (cp[1] == '/') {
+						cp += 2;
+						if (!*cp) {
+							slash_cnt--;
+							p--;
+						}
+					} else if (cp[1] == '\0') {
+						cp++;
+						slash_cnt--;
+						p--;
+					} else
+						*p++ = *cp++;
+				} else
+					*p++ = *cp++;
+				break;
+			  case '[':
+				saw_live_open_brkt = 1;
+				*p++ = *cp++;
+				break;
+			  default:
+				*p++ = *cp++;
+				break;
+			}
+		}
+		*p = '\0';
+		arg_len = p - new_pat;
+		if (!arg_len)
+			free(new_pat);
+		else {
+			filter_rule *rule = new0(filter_rule);
+			rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0);
+			rule->u.slash_cnt = slash_cnt;
+			arg = rule->pattern = new_pat;
+			if (!implied_filter_list.head)
+				implied_filter_list.head = implied_filter_list.tail = rule;
+			else {
+				rule->next = implied_filter_list.head;
+				implied_filter_list.head = rule;
+			}
+			if (DEBUG_GTE(FILTER, 3))
+				rprintf(FINFO, "[%s] add_implied_include(%s)\n", who_am_i(), arg);
+			if (saw_live_open_brkt)
+				maybe_add_literal_brackets_rule(rule, arg_len);
+			if (relative_paths && slash_cnt) {
+				int sub_slash_cnt = slash_cnt;
+				while ((p = strrchr(new_pat, '/')) != NULL && p != new_pat) {
+					filter_rule const *ent;
+					filter_rule *R_rule;
+					int found = 0;
+					*p = '\0';
+					for (ent = implied_filter_list.head; ent; ent = ent->next) {
+						if (ent != rule && strcmp(ent->pattern, new_pat) == 0) {
+							found = 1;
+							break;
+						}
+					}
+					if (found) {
+						*p = '/';
+						break; /* We added all parent dirs already */
+					}
+					R_rule = new0(filter_rule);
+					R_rule->rflags = FILTRULE_INCLUDE | FILTRULE_DIRECTORY;
+					/* Check if our sub-path has wildcards or escaped backslashes */
+					if (saw_wild && strpbrk(new_pat, "*[?\\"))
+						R_rule->rflags |= FILTRULE_WILD;
+					R_rule->pattern = strdup(new_pat);
+					R_rule->u.slash_cnt = --sub_slash_cnt;
+					R_rule->next = implied_filter_list.head;
+					implied_filter_list.head = R_rule;
+					if (DEBUG_GTE(FILTER, 3)) {
+						rprintf(FINFO, "[%s] add_implied_include(%s/)\n",
+							who_am_i(), R_rule->pattern);
+					}
+					if (saw_live_open_brkt)
+						maybe_add_literal_brackets_rule(R_rule, -1);
+				}
+				for (p = new_pat; sub_slash_cnt < slash_cnt; sub_slash_cnt++) {
+					p += strlen(p);
+					*p = '/';
+				}
+			}
+		}
+	}
+
+	if (recurse || xfer_dirs) {
+		/* Now create a rule with an added "/" & "**" or "*" at the end */
+		filter_rule *rule = new0(filter_rule);
+		rule->rflags = FILTRULE_INCLUDE | FILTRULE_WILD;
+		if (recurse)
+			rule->rflags |= FILTRULE_WILD2;
+		/* We must leave enough room for / * * \0. */
+		if (!saw_wild && backslash_cnt) {
+			/* We are appending a wildcard, so now the backslashes need to be escaped. */
+			p = rule->pattern = new_array(char, arg_len + backslash_cnt + 3 + 1);
+			for (cp = arg; *cp; ) { /* Note that arg_len != 0 because backslash_cnt > 0 */
+				if (*cp == '\\')
+					*p++ = '\\';
+				*p++ = *cp++;
+			}
+		} else {
+			p = rule->pattern = new_array(char, arg_len + 3 + 1);
+			if (arg_len) {
+				memcpy(p, arg, arg_len);
+				p += arg_len;
+			}
+		}
+		*p++ = '/';
+		*p++ = '*';
+		if (recurse)
+			*p++ = '*';
+		*p = '\0';
+		rule->u.slash_cnt = slash_cnt + 1;
+		rule->next = implied_filter_list.head;
+		implied_filter_list.head = rule;
+		if (DEBUG_GTE(FILTER, 3))
+			rprintf(FINFO, "[%s] add_implied_include(%s)\n", who_am_i(), rule->pattern);
+		if (saw_live_open_brkt)
+			maybe_add_literal_brackets_rule(rule, p - rule->pattern);
+	}
+}
+
 /* This frees any non-inherited items, leaving just inherited items on the list. */
 static void pop_filter_list(filter_rule_list *listp)
 {
@@ -438,7 +720,8 @@ static BOOL setup_merge_file(int mergelist_num, filter_rule *ex,
 	parent_dirscan = True;
 	while (*y) {
 		char save[MAXPATHLEN];
-		strlcpy(save, y, MAXPATHLEN);
+		/* copylen is strlen(y) which is < MAXPATHLEN. +1 for \0 */
+		size_t copylen = strlcpy(save, y, MAXPATHLEN) + 1;
 		*y = '\0';
 		dirbuf_len = y - dirbuf;
 		strlcpy(x, ex->pattern, MAXPATHLEN - (x - buf));
@@ -452,7 +735,7 @@ static BOOL setup_merge_file(int mergelist_num, filter_rule *ex,
 			lp->head = NULL;
 		}
 		lp->tail = NULL;
-		strlcpy(y, save, MAXPATHLEN);
+		strlcpy(y, save, copylen);
 		while ((*x++ = *y++) != '/') {}
 	}
 	parent_dirscan = False;
@@ -621,11 +904,11 @@ static int rule_matches(const char *fname, filter_rule *ex, int name_flags)
 {
 	int slash_handling, str_cnt = 0, anchored_match = 0;
 	int ret_match = ex->rflags & FILTRULE_NEGATE ? 0 : 1;
-	char *p, *pattern = ex->pattern;
+	const char *p, *pattern = ex->pattern;
 	const char *strings[16]; /* more than enough */
 	const char *name = fname + (*fname == '/');
 
-	if (!*name)
+	if (!*name || ex->elide == cur_elide_value)
 		return 0;
 
 	if (!(name_flags & NAME_IS_XATTR) ^ !(ex->rflags & FILTRULE_XATTR))
@@ -702,11 +985,12 @@ static void report_filter_result(enum logcode code, char const *name,
 				 filter_rule const *ent,
 				 int name_flags, const char *type)
 {
+	int log_level = am_sender || am_generator ? 1 : 3;
+
 	/* If a trailing slash is present to match only directories,
 	 * then it is stripped out by add_rule().  So as a special
-	 * case we add it back in here. */
-
-	if (DEBUG_GTE(FILTER, 1)) {
+	 * case we add it back in the log output. */
+	if (DEBUG_GTE(FILTER, log_level)) {
 		static char *actions[2][2]
 		    = { {"show", "hid"}, {"risk", "protect"} };
 		const char *w = who_am_i();
@@ -714,7 +998,7 @@ static void report_filter_result(enum logcode code, char const *name,
 			      : name_flags & NAME_IS_DIR ? "directory"
 			      : "file";
 		rprintf(code, "[%s] %sing %s %s because of pattern %s%s%s\n",
-		    w, actions[*w!='s'][!(ent->rflags & FILTRULE_INCLUDE)],
+		    w, actions[*w=='g'][!(ent->rflags & FILTRULE_INCLUDE)],
 		    t, name, ent->pattern,
 		    ent->rflags & FILTRULE_DIRECTORY ? "/" : "", type);
 	}
@@ -740,6 +1024,15 @@ int name_is_excluded(const char *fname, int name_flags, int filter_level)
 	return 0;
 }
 
+int check_server_filter(filter_rule_list *listp, enum logcode code, const char *name, int name_flags)
+{
+	int ret;
+	cur_elide_value = LOCAL_RULE;
+	ret = check_filter(listp, code, name, name_flags);
+	cur_elide_value = REMOTE_RULE;
+	return ret;
+}
+
 /* Return -1 if file "name" is defined to be excluded by the specified
  * exclude list, 1 if it is included, and 0 if it was not matched. */
 int check_filter(filter_rule_list *listp, enum logcode code,
@@ -886,6 +1179,7 @@ static filter_rule *parse_rule_tok(const char **rulestr_ptr,
 		}
 		switch (ch) {
 		case ':':
+			trust_sender_filter = 1;
 			rule->rflags |= FILTRULE_PERDIR_MERGE
 				      | FILTRULE_FINISH_SETUP;
 			/* FALL THROUGH */
@@ -1294,7 +1588,7 @@ char *get_rule_prefix(filter_rule *rule, const char *pat, int for_xfer,
 
 static void send_rules(int f_out, filter_rule_list *flp)
 {
-	filter_rule *ent, *prev = NULL;
+	filter_rule *ent;
 
 	for (ent = flp->head; ent; ent = ent->next) {
 		unsigned int len, plen, dlen;
@@ -1309,21 +1603,15 @@ static void send_rules(int f_out, filter_rule_list *flp)
 		 * merge files as an optimization (since they can only have
 		 * include/exclude rules). */
 		if (ent->rflags & FILTRULE_SENDER_SIDE)
-			elide = am_sender ? 1 : -1;
+			elide = am_sender ? LOCAL_RULE : REMOTE_RULE;
 		if (ent->rflags & FILTRULE_RECEIVER_SIDE)
-			elide = elide ? 0 : am_sender ? -1 : 1;
+			elide = elide ? 0 : am_sender ? REMOTE_RULE : LOCAL_RULE;
 		else if (delete_excluded && !elide
 		 && (!(ent->rflags & FILTRULE_PERDIR_MERGE)
 		  || ent->rflags & FILTRULE_NO_PREFIXES))
-			elide = am_sender ? 1 : -1;
-		if (elide < 0) {
-			if (prev)
-				prev->next = ent->next;
-			else
-				flp->head = ent->next;
-		} else
-			prev = ent;
-		if (elide > 0)
+			elide = am_sender ? LOCAL_RULE : REMOTE_RULE;
+		ent->elide = elide;
+		if (elide == LOCAL_RULE)
 			continue;
 		if (ent->rflags & FILTRULE_CVS_IGNORE
 		    && !(ent->rflags & FILTRULE_MERGE_FILE)) {
@@ -1351,7 +1639,6 @@ static void send_rules(int f_out, filter_rule_list *flp)
 		if (dlen)
 			write_byte(f_out, '/');
 	}
-	flp->tail = prev;
 }
 
 /* This is only called by the client. */

flist.c

@@ -33,7 +33,6 @@ extern int am_sender;
 extern int am_generator;
 extern int inc_recurse;
 extern int always_checksum;
-extern int checksum_type;
 extern int module_id;
 extern int ignore_errors;
 extern int numeric_ids;
@@ -43,6 +42,7 @@ extern int use_qsort;
 extern int xfer_dirs;
 extern int filesfrom_fd;
 extern int one_file_system;
+extern int copy_devices;
 extern int copy_dirlinks;
 extern int preserve_uid;
 extern int preserve_gid;
@@ -72,18 +72,20 @@ extern int need_unsorted_flist;
 extern int sender_symlink_iconv;
 extern int output_needs_newline;
 extern int sender_keeps_checksum;
+extern int trust_sender_filter;
 extern int unsort_ndx;
 extern uid_t our_uid;
 extern struct stats stats;
 extern char *filesfrom_host;
 extern char *usermap, *groupmap;
 
+extern struct name_num_item *file_sum_nni;
+
 extern char curr_dir[MAXPATHLEN];
 
 extern struct chmod_mode_struct *chmod_modes;
 
-extern filter_rule_list filter_list;
-extern filter_rule_list daemon_filter_list;
+extern filter_rule_list filter_list, implied_filter_list, daemon_filter_list;
 
 #ifdef ICONV_OPTION
 extern int filesfrom_convert;
@@ -144,7 +146,8 @@ void init_flist(void)
 		rprintf(FINFO, "FILE_STRUCT_LEN=%d, EXTRA_LEN=%d\n",
 			(int)FILE_STRUCT_LEN, (int)EXTRA_LEN);
 	}
-	flist_csum_len = csum_len_for_type(checksum_type, 1);
+	/* Note that this isn't identical to file_sum_len in the case of CSUM_MD4_ARCHAIC: */
+	flist_csum_len = csum_len_for_type(file_sum_nni->num, 1);
 
 	show_filelist_progress = INFO_GTE(FLIST, 1) && xfer_dirs && !am_server && !inc_recurse;
 }
@@ -700,6 +703,7 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 	int alloc_len, basename_len, linkname_len;
 	int extra_len = file_extra_cnt * EXTRA_LEN;
 	int first_hlink_ndx = -1;
+	char real_ISREG_entry;
 	int64 file_length;
 #ifdef CAN_SET_NSEC
 	uint32 modtime_nsec;
@@ -752,7 +756,7 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 	if (*thisname
 	 && (clean_fname(thisname, CFN_REFUSE_DOT_DOT_DIRS) < 0 || (!relative_paths && *thisname == '/'))) {
 		rprintf(FERROR, "ABORTING due to unsafe pathname from sender: %s\n", thisname);
-		exit_cleanup(RERR_PROTOCOL);
+		exit_cleanup(RERR_UNSUPPORTED);
 	}
 
 	if (sanitize_paths)
@@ -814,6 +818,7 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 				linkname_len = strlen(F_SYMLINK(first)) + 1;
 			else
 				linkname_len = 0;
+			real_ISREG_entry = S_ISREG(mode) ? 1 : 0;
 			goto create_object;
 		}
 	}
@@ -831,13 +836,13 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 			}
 #endif
 		} else
-			modtime = read_int(f);
+			modtime = read_uint(f);
 	}
 	if (xflags & XMIT_MOD_NSEC)
 #ifndef CAN_SET_NSEC
-		(void)read_varint(f);
+		(void)read_varint_bounded(f, 0, MAX_WIRE_NSEC, "modtime_nsec");
 #else
-		modtime_nsec = read_varint(f);
+		modtime_nsec = read_varint_bounded(f, 0, MAX_WIRE_NSEC, "modtime_nsec");
 	else
 		modtime_nsec = 0;
 #endif
@@ -856,8 +861,19 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 #endif
 	}
 #endif
-	if (!(xflags & XMIT_SAME_MODE))
+	if (!(xflags & XMIT_SAME_MODE)) {
 		mode = from_wire_mode(read_int(f));
+		/* Reject modes whose type bits are not one of the standard
+		 * file types; otherwise garbage mode values propagate through
+		 * the file-type checks below unpredictably. */
+		if (!S_ISREG(mode) && !S_ISDIR(mode) && !S_ISLNK(mode)
+		 && !S_ISCHR(mode) && !S_ISBLK(mode)
+		 && !S_ISFIFO(mode) && !S_ISSOCK(mode)) {
+			rprintf(FERROR, "invalid file mode 0%o for %s [%s]\n",
+				(unsigned)mode, lastname, who_am_i());
+			exit_cleanup(RERR_PROTOCOL);
+		}
+	}
 	if (atimes_ndx && !S_ISDIR(mode) && !(xflags & XMIT_SAME_ATIME)) {
 		atime = read_varlong(f, 4);
 #if SIZEOF_TIME_T < SIZEOF_INT64
@@ -941,10 +957,20 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 #endif
 		linkname_len = 0;
 
+	if (copy_devices && IS_DEVICE(mode)) {
+		/* This is impossible in the official release, but some pre-release patches
+		 * didn't convert the device into a file before sending, so we'll do it here
+		 * (even though the length is typically 0 and any checksum data is zeros). */
+		mode = S_IFREG | (mode & ACCESSPERMS);
+		modtime = time(NULL); /* The mtime on the device is not up-to-date, so set it to "now". */
+		real_ISREG_entry = 0;
+	} else
+		real_ISREG_entry = S_ISREG(mode) ? 1 : 0;
+
 #ifdef SUPPORT_HARD_LINKS
   create_object:
 	if (preserve_hard_links) {
-		if (protocol_version < 28 && S_ISREG(mode))
+		if (protocol_version < 28 && real_ISREG_entry)
 			xflags |= XMIT_HLINKED;
 		if (xflags & XMIT_HLINKED)
 			extra_len += (inc_recurse+1) * EXTRA_LEN;
@@ -973,6 +999,19 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 		exit_cleanup(RERR_UNSUPPORTED);
 	}
 
+	if (*thisname == '/' ? thisname[1] != '.' || thisname[2] != '\0' : *thisname != '.' || thisname[1] != '\0') {
+		int filt_flags = S_ISDIR(mode) ? NAME_IS_DIR : NAME_IS_FILE;
+		if (!trust_sender_filter /* a per-dir filter rule means we must trust the sender's filtering */
+		 && filter_list.head && check_server_filter(&filter_list, FINFO, thisname, filt_flags) < 0) {
+			rprintf(FERROR, "ERROR: rejecting excluded file-list name: %s\n", thisname);
+			exit_cleanup(RERR_UNSUPPORTED);
+		}
+		if (implied_filter_list.head && check_filter(&implied_filter_list, FINFO, thisname, filt_flags) <= 0) {
+			rprintf(FERROR, "ERROR: rejecting unrequested file-list name: %s\n", thisname);
+			exit_cleanup(RERR_UNSUPPORTED);
+		}
+	}
+
 	if (inc_recurse && S_ISDIR(mode)) {
 		if (one_file_system) {
 			/* Room to save the dir's device for -x */
@@ -1160,8 +1199,8 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 	}
 #endif
 
-	if (always_checksum && (S_ISREG(mode) || protocol_version < 28)) {
-		if (S_ISREG(mode))
+	if (always_checksum && (real_ISREG_entry || protocol_version < 28)) {
+		if (real_ISREG_entry)
 			bp = F_SUM(file);
 		else {
 			/* Prior to 28, we get a useless set of nulls. */
@@ -1360,6 +1399,18 @@ struct file_struct *make_file(const char *fname, struct file_list *flist,
 	linkname_len = 0;
 #endif
 
+	if (copy_devices && am_sender && IS_DEVICE(st.st_mode)) {
+		if (st.st_size == 0) {
+			int fd = do_open_checklinks(fname);
+			if (fd >= 0) {
+				st.st_size = get_device_size(fd, fname);
+				close(fd);
+			}
+		}
+		st.st_mode = S_IFREG | (st.st_mode & ACCESSPERMS);
+		st.st_mtime = time(NULL); /* The mtime on the device is not up-to-date, so set it to "now". */
+	}
+
 #ifdef ST_MTIME_NSEC
 	if (st.ST_MTIME_NSEC && protocol_version >= 31)
 		extra_len += EXTRA_LEN;
@@ -2544,6 +2595,19 @@ struct file_list *recv_file_list(int f, int dir_ndx)
 		init_hard_links();
 #endif
 
+	if (inc_recurse && dir_ndx >= 0) {
+		if (dir_ndx >= dir_flist->used) {
+			rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used);
+			exit_cleanup(RERR_PROTOCOL);
+		}
+		struct file_struct *file = dir_flist->files[dir_ndx];
+		if (file->flags & FLAG_GOT_DIR_FLIST) {
+			rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
+			exit_cleanup(RERR_PROTOCOL);
+		}
+		file->flags |= FLAG_GOT_DIR_FLIST;
+	}
+
 	flist = flist_new(0, "recv_file_list");
 	flist_expand(flist, FLIST_START_LARGE);
 
@@ -2602,7 +2666,7 @@ struct file_list *recv_file_list(int f, int dir_ndx)
 					rprintf(FERROR,
 						"ABORTING due to invalid path from sender: %s/%s\n",
 						cur_dir, file->basename);
-					exit_cleanup(RERR_PROTOCOL);
+					exit_cleanup(RERR_UNSUPPORTED);
 				}
 				good_dirname = cur_dir;
 			}

generator.c

@@ -35,11 +35,11 @@ extern int inc_recurse;
 extern int relative_paths;
 extern int implied_dirs;
 extern int keep_dirlinks;
+extern int write_devices;
 extern int preserve_acls;
 extern int preserve_xattrs;
 extern int preserve_links;
 extern int preserve_devices;
-extern int write_devices;
 extern int preserve_specials;
 extern int preserve_hard_links;
 extern int preserve_executability;
@@ -229,11 +229,13 @@ static int read_delay_line(char *buf, int *flags_p)
 		*flags_p = 0;
 
 	if (sscanf(bp, "%x ", &mode) != 1) {
-	  invalid_data:
-		rprintf(FERROR, "ERROR: invalid data in delete-delay file.\n");
-		return -1;
+		goto invalid_data;
 	}
-	past_space = strchr(bp, ' ') + 1;
+	past_space = strchr(bp, ' ');
+	if (!past_space) {
+		goto invalid_data;
+	}
+	past_space++;
 	len = j - read_pos - (past_space - bp) + 1; /* count the '\0' */
 	read_pos = j + 1;
 
@@ -247,6 +249,10 @@ static int read_delay_line(char *buf, int *flags_p)
 	memcpy(buf, past_space, len);
 
 	return mode;
+
+invalid_data:
+	rprintf(FERROR, "ERROR: invalid data in delete-delay file.\n");
+	return -1;
 }
 
 static void do_delayed_deletions(char *delbuf)
@@ -875,9 +881,12 @@ static struct file_struct *find_fuzzy(struct file_struct *file, struct file_list
 			len = strlen(name);
 			suf = find_filename_suffix(name, len, &suf_len);
 
-			dist = fuzzy_distance(name, len, fname, fname_len);
-			/* Add some extra weight to how well the suffixes match. */
-			dist += fuzzy_distance(suf, suf_len, fname_suf, fname_suf_len) * 10;
+			dist = fuzzy_distance(name, len, fname, fname_len, lowest_dist);
+			/* Add some extra weight to how well the suffixes match unless we've already disqualified
+			 * this file based on a heuristic. */
+			if (dist < 0xFFFF0000U) {
+				dist += fuzzy_distance(suf, suf_len, fname_suf, fname_suf_len, 0xFFFF0000U) * 10;
+			}
 			if (DEBUG_GTE(FUZZY, 2)) {
 				rprintf(FINFO, "fuzzy distance for %s = %d.%05d\n",
 					f_name(fp, NULL), (int)(dist>>16), (int)(dist&0xFFFF));
@@ -981,7 +990,7 @@ static int try_dests_reg(struct file_struct *file, char *fname, int ndx,
 		if (find_exact_for_existing) {
 			if (alt_dest_type == LINK_DEST && real_st.st_dev == sxp->st.st_dev && real_st.st_ino == sxp->st.st_ino)
 				return -1;
-			if (do_unlink(fname) < 0 && errno != ENOENT)
+			if (do_unlink_at(fname) < 0 && errno != ENOENT)
 				goto got_nothing_for_ya;
 		}
 #ifdef SUPPORT_HARD_LINKS
@@ -1109,7 +1118,7 @@ static int try_dests_non(struct file_struct *file, char *fname, int ndx,
 		 && !IS_SPECIAL(file->mode) && !IS_DEVICE(file->mode)
 #endif
 		 && !S_ISDIR(file->mode)) {
-			if (do_link(cmpbuf, fname) < 0) {
+			if (do_link_at(cmpbuf, fname) < 0) {
 				rsyserr(FERROR_XFER, errno,
 					"failed to hard-link %s with %s",
 					cmpbuf, fname);
@@ -1312,7 +1321,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 				}
 			}
 			if (relative_paths && !implied_dirs && file->mode != 0
-			 && do_stat(dn, &sx.st) < 0) {
+			 && do_stat_at(dn, &sx.st) < 0) {
 				if (dry_run)
 					goto parent_is_dry_missing;
 				if (make_path(fname, MKP_DROP_NAME | MKP_SKIP_SLASH) < 0) {
@@ -1424,7 +1433,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 			 && (stype == FT_DIR
 			  || delete_item(fname, sx.st.st_mode, del_opts | DEL_FOR_DIR) != 0))
 				goto cleanup; /* Any errors get reported later. */
-			if (do_mkdir(fname, (file->mode|added_perms) & 0700) == 0)
+			if (do_mkdir_at(fname, (file->mode|added_perms) & 0700) == 0)
 				file->flags |= FLAG_DIR_CREATED;
 			goto cleanup;
 		}
@@ -1466,10 +1475,10 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 			itemize(fnamecmp, file, ndx, statret, &sx,
 				statret ? ITEM_LOCAL_CHANGE : 0, 0, NULL);
 		}
-		if (real_ret != 0 && do_mkdir(fname,file->mode|added_perms) < 0 && errno != EEXIST) {
+		if (real_ret != 0 && do_mkdir_at(fname,file->mode|added_perms) < 0 && errno != EEXIST) {
 			if (!relative_paths || errno != ENOENT
 			 || make_path(fname, MKP_DROP_NAME | MKP_SKIP_SLASH) < 0
-			 || (do_mkdir(fname, file->mode|added_perms) < 0 && errno != EEXIST)) {
+			 || (do_mkdir_at(fname, file->mode|added_perms) < 0 && errno != EEXIST)) {
 				rsyserr(FERROR_XFER, errno,
 					"recv_generator: mkdir %s failed",
 					full_fname(fname));
@@ -1496,7 +1505,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 #ifdef HAVE_CHMOD
 		if (!am_root && (file->mode & S_IRWXU) != S_IRWXU && dir_tweaking) {
 			mode_t mode = file->mode | S_IRWXU;
-			if (do_chmod(fname, mode) < 0) {
+			if (do_chmod_at(fname, mode) < 0) {
 				rsyserr(FERROR_XFER, errno,
 					"failed to modify permissions on %s",
 					full_fname(fname));
@@ -1793,13 +1802,19 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 		goto cleanup;
 	}
 
+	if (write_devices && IS_DEVICE(sx.st.st_mode) && sx.st.st_size == 0) {
+		/* This early open into fd skips the regular open below. */
+		if ((fd = do_open_nofollow(fnamecmp, O_RDONLY)) >= 0)
+			real_sx.st.st_size = sx.st.st_size = get_device_size(fd, fnamecmp);
+	}
+
 	if (fnamecmp_type <= FNAMECMP_BASIS_DIR_HIGH)
 		;
 	else if (fnamecmp_type >= FNAMECMP_FUZZY)
 		;
 	else if (quick_check_ok(FT_REG, fnamecmp, file, &sx.st)) {
 		if (partialptr) {
-			do_unlink(partialptr);
+			do_unlink_at(partialptr);
 			handle_partial_dir(partialptr, PDIR_DELETE);
 		}
 		set_file_attrs(fname, file, &sx, NULL, maybe_ATTRS_REPORT | maybe_ATTRS_ACCURATE_TIME);
@@ -1813,7 +1828,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 			goto cleanup;
 	  return_with_success:
 		if (!dry_run)
-			send_msg_int(MSG_SUCCESS, ndx);
+			send_msg_success(fname, ndx);
 		goto cleanup;
 	}
 
@@ -1858,7 +1873,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 	}
 
 	/* open the file */
-	if ((fd = do_open(fnamecmp, O_RDONLY, 0)) < 0) {
+	if (fd < 0 && (fd = do_open_checklinks(fnamecmp)) < 0) {
 		rsyserr(FERROR, errno, "failed to open %s, continuing",
 			full_fname(fnamecmp));
 	  pretend_missing:
@@ -1875,11 +1890,9 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 
 	if (inplace && make_backups > 0 && fnamecmp_type == FNAMECMP_FNAME) {
 		if (!(backupptr = get_backup_name(fname))) {
-			close(fd);
 			goto cleanup;
 		}
 		if (!(back_file = make_file(fname, NULL, NULL, 0, NO_FILTERS))) {
-			close(fd);
 			goto pretend_missing;
 		}
 		if (robust_unlink(backupptr) && errno != ENOENT) {
@@ -1887,14 +1900,12 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 				full_fname(backupptr));
 			unmake_file(back_file);
 			back_file = NULL;
-			close(fd);
 			goto cleanup;
 		}
-		if ((f_copy = do_open(backupptr, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL, 0600)) < 0) {
+		if ((f_copy = do_open_at(backupptr, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL, 0600)) < 0) {
 			rsyserr(FERROR_XFER, errno, "open %s", full_fname(backupptr));
 			unmake_file(back_file);
 			back_file = NULL;
-			close(fd);
 			goto cleanup;
 		}
 		fnamecmp_type = FNAMECMP_BACKUP;
@@ -1945,7 +1956,6 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 		write_sum_head(f_out, NULL);
 	else if (sx.st.st_size <= 0) {
 		write_sum_head(f_out, NULL);
-		close(fd);
 	} else {
 		if (generate_and_send_sums(fd, sx.st.st_size, f_out, f_copy) < 0) {
 			rprintf(FWARNING,
@@ -1953,10 +1963,11 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 				fnamecmp);
 			write_sum_head(f_out, NULL);
 		}
-		close(fd);
 	}
 
   cleanup:
+	if (fd >= 0)
+		close(fd);
 	if (back_file) {
 		int save_preserve_xattrs = preserve_xattrs;
 		if (f_copy >= 0)
@@ -2011,7 +2022,7 @@ int atomic_create(struct file_struct *file, char *fname, const char *slnk, const
 
 	if (slnk) {
 #ifdef SUPPORT_LINKS
-		if (do_symlink(slnk, create_name) < 0) {
+		if (do_symlink_at(slnk, create_name) < 0) {
 			rsyserr(FERROR_XFER, errno, "symlink %s -> \"%s\" failed",
 				full_fname(create_name), slnk);
 			return 0;
@@ -2027,7 +2038,7 @@ int atomic_create(struct file_struct *file, char *fname, const char *slnk, const
 		return 0;
 #endif
 	} else {
-		if (do_mknod(create_name, file->mode, rdev) < 0) {
+		if (do_mknod_at(create_name, file->mode, rdev) < 0) {
 			rsyserr(FERROR_XFER, errno, "mknod %s failed",
 				full_fname(create_name));
 			return 0;
@@ -2035,10 +2046,14 @@ int atomic_create(struct file_struct *file, char *fname, const char *slnk, const
 	}
 
 	if (!skip_atomic) {
-		if (do_rename(tmpname, fname) < 0) {
+		if (do_rename_at(tmpname, fname) < 0) {
+			char *full_tmpname = strdup(full_fname(tmpname));
+			if (full_tmpname == NULL)
+				out_of_memory("atomic_create");
 			rsyserr(FERROR_XFER, errno, "rename %s -> \"%s\" failed",
-				full_fname(tmpname), full_fname(fname));
-			do_unlink(tmpname);
+				full_tmpname, full_fname(fname));
+			free(full_tmpname);
+			do_unlink_at(tmpname);
 			return 0;
 		}
 	}
@@ -2102,7 +2117,7 @@ static void touch_up_dirs(struct file_list *flist, int ndx)
 			continue;
 		fname = f_name(file, NULL);
 		if (fix_dir_perms)
-			do_chmod(fname, file->mode);
+			do_chmod_at(fname, file->mode);
 		if (need_retouch_dir_times) {
 			STRUCT_STAT st;
 			if (link_stat(fname, &st, 0) == 0 && mtime_differs(&st, file)) {
@@ -2137,6 +2152,8 @@ void check_for_finished_files(int itemizing, enum logcode code, int check_redo)
 			if (send_failed)
 				ndx = get_hlink_num();
 			flist = flist_for_ndx(ndx, "check_for_finished_files.1");
+			if (ndx < flist->ndx_start)
+				exit_cleanup(RERR_PROTOCOL);
 			file = flist->files[ndx - flist->ndx_start];
 			assert(file->flags & FLAG_HLINKED);
 			if (send_failed)
@@ -2165,6 +2182,8 @@ void check_for_finished_files(int itemizing, enum logcode code, int check_redo)
 
 			flist = cur_flist;
 			cur_flist = flist_for_ndx(ndx, "check_for_finished_files.2");
+			if (ndx < cur_flist->ndx_start)
+				exit_cleanup(RERR_PROTOCOL);
 
 			file = cur_flist->files[ndx - cur_flist->ndx_start];
 			if (solo_file)

hashtable.c

@@ -1,7 +1,7 @@
 /*
  * Routines to provide a memory-efficient hashtable.
  *
- * Copyright (C) 2007-2020 Wayne Davison
+ * Copyright (C) 2007-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -350,6 +350,9 @@ void *hashtable_find(struct hashtable *tbl, int64 key, void *data_when_new)
  -------------------------------------------------------------------------------
 */
 
+#define NON_ZERO_32(x) ((x) ? (x) : (uint32_t)1)
+#define NON_ZERO_64(x, y) ((x) || (y) ? (y) | (int64)(x) << 32 | (y) : (int64)1)
+
 uint32_t hashlittle(const void *key, size_t length)
 {
   uint32_t a,b,c;                                          /* internal state */
@@ -390,7 +393,7 @@ uint32_t hashlittle(const void *key, size_t length)
     case 3 : a+=((uint32_t)k8[2])<<16;   /* fall through */
     case 2 : a+=((uint32_t)k8[1])<<8;    /* fall through */
     case 1 : a+=k8[0]; break;
-    case 0 : return c;
+    case 0 : return NON_ZERO_32(c);
     }
   } else if (HASH_LITTLE_ENDIAN && ((u.i & 0x1) == 0)) {
     const uint16_t *k = (const uint16_t *)key;         /* read 16-bit chunks */
@@ -436,7 +439,7 @@ uint32_t hashlittle(const void *key, size_t length)
              break;
     case 1 : a+=k8[0];
              break;
-    case 0 : return c;                     /* zero length requires no mixing */
+    case 0 : return NON_ZERO_32(c);         /* zero length requires no mixing */
     }
 
   } else {                        /* need to read the key one byte at a time */
@@ -489,10 +492,171 @@ uint32_t hashlittle(const void *key, size_t length)
 	     /* FALLTHROUGH */
     case 1 : a+=k[0];
              break;
-    case 0 : return c;
+    case 0 : return NON_ZERO_32(c);
     }
   }
 
   final(a,b,c);
-  return c;
+  return NON_ZERO_32(c);
 }
+
+#if SIZEOF_INT64 >= 8
+/*
+ * hashlittle2: return 2 32-bit hash values joined into an int64.
+ *
+ * This is identical to hashlittle(), except it returns two 32-bit hash
+ * values instead of just one.  This is good enough for hash table
+ * lookup with 2^^64 buckets, or if you want a second hash if you're not
+ * happy with the first, or if you want a probably-unique 64-bit ID for
+ * the key.  *pc is better mixed than *pb, so use *pc first.  If you want
+ * a 64-bit value do something like "*pc + (((uint64_t)*pb)<<32)".
+ */
+int64 hashlittle2(const void *key, size_t length)
+{
+  uint32_t a,b,c;                                          /* internal state */
+  union { const void *ptr; size_t i; } u;     /* needed for Mac Powerbook G4 */
+
+  /* Set up the internal state */
+  a = b = c = 0xdeadbeef + ((uint32_t)length);
+
+  u.ptr = key;
+  if (HASH_LITTLE_ENDIAN && ((u.i & 0x3) == 0)) {
+    const uint32_t *k = (const uint32_t *)key;         /* read 32-bit chunks */
+    const uint8_t  *k8;
+
+    /*------ all but last block: aligned reads and affect 32 bits of (a,b,c) */
+    while (length > 12)
+    {
+      a += k[0];
+      b += k[1];
+      c += k[2];
+      mix(a,b,c);
+      length -= 12;
+      k += 3;
+    }
+
+    /*----------------------------- handle the last (probably partial) block */
+    k8 = (const uint8_t *)k;
+    switch(length)
+    {
+    case 12: c+=k[2]; b+=k[1]; a+=k[0]; break;
+    case 11: c+=((uint32_t)k8[10])<<16;  /* fall through */
+    case 10: c+=((uint32_t)k8[9])<<8;    /* fall through */
+    case 9 : c+=k8[8];                   /* fall through */
+    case 8 : b+=k[1]; a+=k[0]; break;
+    case 7 : b+=((uint32_t)k8[6])<<16;   /* fall through */
+    case 6 : b+=((uint32_t)k8[5])<<8;    /* fall through */
+    case 5 : b+=k8[4];                   /* fall through */
+    case 4 : a+=k[0]; break;
+    case 3 : a+=((uint32_t)k8[2])<<16;   /* fall through */
+    case 2 : a+=((uint32_t)k8[1])<<8;    /* fall through */
+    case 1 : a+=k8[0]; break;
+    case 0 : return NON_ZERO_64(b, c);
+    }
+  } else if (HASH_LITTLE_ENDIAN && ((u.i & 0x1) == 0)) {
+    const uint16_t *k = (const uint16_t *)key;         /* read 16-bit chunks */
+    const uint8_t  *k8;
+
+    /*--------------- all but last block: aligned reads and different mixing */
+    while (length > 12)
+    {
+      a += k[0] + (((uint32_t)k[1])<<16);
+      b += k[2] + (((uint32_t)k[3])<<16);
+      c += k[4] + (((uint32_t)k[5])<<16);
+      mix(a,b,c);
+      length -= 12;
+      k += 6;
+    }
+
+    /*----------------------------- handle the last (probably partial) block */
+    k8 = (const uint8_t *)k;
+    switch(length)
+    {
+    case 12: c+=k[4]+(((uint32_t)k[5])<<16);
+             b+=k[2]+(((uint32_t)k[3])<<16);
+             a+=k[0]+(((uint32_t)k[1])<<16);
+             break;
+    case 11: c+=((uint32_t)k8[10])<<16;     /* fall through */
+    case 10: c+=k[4];
+             b+=k[2]+(((uint32_t)k[3])<<16);
+             a+=k[0]+(((uint32_t)k[1])<<16);
+             break;
+    case 9 : c+=k8[8];                      /* fall through */
+    case 8 : b+=k[2]+(((uint32_t)k[3])<<16);
+             a+=k[0]+(((uint32_t)k[1])<<16);
+             break;
+    case 7 : b+=((uint32_t)k8[6])<<16;      /* fall through */
+    case 6 : b+=k[2];
+             a+=k[0]+(((uint32_t)k[1])<<16);
+             break;
+    case 5 : b+=k8[4];                      /* fall through */
+    case 4 : a+=k[0]+(((uint32_t)k[1])<<16);
+             break;
+    case 3 : a+=((uint32_t)k8[2])<<16;      /* fall through */
+    case 2 : a+=k[0];
+             break;
+    case 1 : a+=k8[0];
+             break;
+    case 0 : return NON_ZERO_64(b, c);  /* zero length strings require no mixing */
+    }
+
+  } else {                        /* need to read the key one byte at a time */
+    const uint8_t *k = (const uint8_t *)key;
+
+    /*--------------- all but the last block: affect some 32 bits of (a,b,c) */
+    while (length > 12)
+    {
+      a += k[0];
+      a += ((uint32_t)k[1])<<8;
+      a += ((uint32_t)k[2])<<16;
+      a += ((uint32_t)k[3])<<24;
+      b += k[4];
+      b += ((uint32_t)k[5])<<8;
+      b += ((uint32_t)k[6])<<16;
+      b += ((uint32_t)k[7])<<24;
+      c += k[8];
+      c += ((uint32_t)k[9])<<8;
+      c += ((uint32_t)k[10])<<16;
+      c += ((uint32_t)k[11])<<24;
+      mix(a,b,c);
+      length -= 12;
+      k += 12;
+    }
+
+    /*-------------------------------- last block: affect all 32 bits of (c) */
+    switch(length)                   /* all the case statements fall through */
+    {
+    case 12: c+=((uint32_t)k[11])<<24;
+	     /* FALLTHROUGH */
+    case 11: c+=((uint32_t)k[10])<<16;
+	     /* FALLTHROUGH */
+    case 10: c+=((uint32_t)k[9])<<8;
+	     /* FALLTHROUGH */
+    case 9 : c+=k[8];
+	     /* FALLTHROUGH */
+    case 8 : b+=((uint32_t)k[7])<<24;
+	     /* FALLTHROUGH */
+    case 7 : b+=((uint32_t)k[6])<<16;
+	     /* FALLTHROUGH */
+    case 6 : b+=((uint32_t)k[5])<<8;
+	     /* FALLTHROUGH */
+    case 5 : b+=k[4];
+	     /* FALLTHROUGH */
+    case 4 : a+=((uint32_t)k[3])<<24;
+	     /* FALLTHROUGH */
+    case 3 : a+=((uint32_t)k[2])<<16;
+	     /* FALLTHROUGH */
+    case 2 : a+=((uint32_t)k[1])<<8;
+	     /* FALLTHROUGH */
+    case 1 : a+=k[0];
+             break;
+    case 0 : return NON_ZERO_64(b, c);
+    }
+  }
+
+  final(a,b,c);
+  return NON_ZERO_64(b, c);
+}
+#else
+#define hashlittle2(key, len) hashlittle(key, len)
+#endif

hlink.c

@@ -4,7 +4,7 @@
  * Copyright (C) 1996 Andrew Tridgell
  * Copyright (C) 1996 Paul Mackerras
  * Copyright (C) 2002 Martin Pool <mbp@samba.org>
- * Copyright (C) 2004-2020 Wayne Davison
+ * Copyright (C) 2004-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -117,7 +117,7 @@ static void match_gnums(int32 *ndx_list, int ndx_count)
 	struct ht_int32_node *node = NULL;
 	int32 gnum, gnum_next;
 
-	qsort(ndx_list, ndx_count, sizeof ndx_list[0], (int (*)()) hlink_compare_gnum);
+	qsort(ndx_list, ndx_count, sizeof ndx_list[0], (int (*)(const void*, const void*))hlink_compare_gnum);
 
 	for (from = 0; from < ndx_count; from++) {
 		file = hlink_flist->sorted[ndx_list[from]];
@@ -446,7 +446,7 @@ int hard_link_check(struct file_struct *file, int ndx, char *fname,
 		return -1;
 
 	if (remove_source_files == 1 && do_xfers)
-		send_msg_int(MSG_SUCCESS, ndx);
+		send_msg_success(fname, ndx);
 
 	return 1;
 }
@@ -454,7 +454,7 @@ int hard_link_check(struct file_struct *file, int ndx, char *fname,
 int hard_link_one(struct file_struct *file, const char *fname,
 		  const char *oldname, int terse)
 {
-	if (do_link(oldname, fname) < 0) {
+	if (do_link_at(oldname, fname) < 0) {
 		enum logcode code;
 		if (terse) {
 			if (!INFO_GTE(NAME, 1))
@@ -519,7 +519,7 @@ void finish_hard_link(struct file_struct *file, const char *fname, int fin_ndx,
 		if (val < 0)
 			continue;
 		if (remove_source_files == 1 && do_xfers)
-			send_msg_int(MSG_SUCCESS, ndx);
+			send_msg_success(fname, ndx);
 	}
 
 	if (inc_recurse) {

io.c

@@ -41,6 +41,7 @@ extern int am_server;
 extern int am_sender;
 extern int am_receiver;
 extern int am_generator;
+extern int local_server;
 extern int msgs2stderr;
 extern int inc_recurse;
 extern int io_error;
@@ -54,6 +55,7 @@ extern int read_batch;
 extern int compat_flags;
 extern int protect_args;
 extern int checksum_seed;
+extern int xfer_sum_len;
 extern int daemon_connection;
 extern int protocol_version;
 extern int remove_source_files;
@@ -84,6 +86,8 @@ int sock_f_out = -1;
 int64 total_data_read = 0;
 int64 total_data_written = 0;
 
+char num_dev_ino_buf[4 + 8 + 8];
+
 static struct {
 	xbuf in, out, msg;
 	int in_fd;
@@ -376,6 +380,7 @@ static void forward_filesfrom_data(void)
 			free_xbuf(&ff_xb);
 			if (ff_reenable_multiplex >= 0)
 				io_start_multiplex_out(ff_reenable_multiplex);
+			free_implied_include_partial_string();
 		}
 		return;
 	}
@@ -419,6 +424,7 @@ static void forward_filesfrom_data(void)
 		while (s != eob) {
 			if (*s++ == '\0') {
 				ff_xb.len = s - sob - 1;
+				add_implied_include(sob, 0);
 				if (iconvbufs(ic_send, &ff_xb, &iobuf.out, flags) < 0)
 					exit_cleanup(RERR_PROTOCOL); /* impossible? */
 				write_buf(iobuf.out_fd, s-1, 1); /* Send the '\0'. */
@@ -434,6 +440,7 @@ static void forward_filesfrom_data(void)
 			ff_lastchar = '\0';
 		else {
 			/* Handle a partial string specially, saving any incomplete chars. */
+			implied_include_partial_string(sob, s);
 			flags &= ~ICB_INCLUDE_INCOMPLETE;
 			if (iconvbufs(ic_send, &ff_xb, &iobuf.out, flags) < 0) {
 				if (errno == E2BIG)
@@ -450,13 +457,17 @@ static void forward_filesfrom_data(void)
 		char *f = ff_xb.buf + ff_xb.pos;
 		char *t = ff_xb.buf;
 		char *eob = f + len;
+		char *cur = t;
 		/* Eliminate any multi-'\0' runs. */
 		while (f != eob) {
 			if (!(*t++ = *f++)) {
+				add_implied_include(cur, 0);
+				cur = t;
 				while (f != eob && *f == '\0')
 					f++;
 			}
 		}
+		implied_include_partial_string(cur, t);
 		ff_lastchar = f[-1];
 		if ((len = t - ff_xb.buf) != 0) {
 			/* This will not circle back to perform_io() because we only get
@@ -1057,10 +1068,31 @@ void send_msg_int(enum msgcode code, int num)
 	send_msg(code, numbuf, 4, -1);
 }
 
+void send_msg_success(const char *fname, int num)
+{
+	if (local_server) {
+		STRUCT_STAT st;
+
+		if (DEBUG_GTE(IO, 1))
+			rprintf(FINFO, "[%s] send_msg_success(%d)\n", who_am_i(), num);
+
+		if (stat(fname, &st) < 0)
+			memset(&st, 0, sizeof (STRUCT_STAT));
+		SIVAL(num_dev_ino_buf, 0, num);
+		SIVAL64(num_dev_ino_buf, 4, st.st_dev);
+		SIVAL64(num_dev_ino_buf, 4+8, st.st_ino);
+		send_msg(MSG_SUCCESS, num_dev_ino_buf, sizeof num_dev_ino_buf, -1);
+	} else
+		send_msg_int(MSG_SUCCESS, num);
+}
+
 static void got_flist_entry_status(enum festatus status, int ndx)
 {
 	struct file_list *flist = flist_for_ndx(ndx, "got_flist_entry_status");
 
+	if (ndx < flist->ndx_start)
+		exit_cleanup(RERR_PROTOCOL);
+
 	if (remove_source_files) {
 		active_filecnt--;
 		active_bytecnt -= F_LENGTH(flist->files[ndx - flist->ndx_start]);
@@ -1071,8 +1103,12 @@ static void got_flist_entry_status(enum festatus status, int ndx)
 
 	switch (status) {
 	case FES_SUCCESS:
-		if (remove_source_files)
-			send_msg_int(MSG_SUCCESS, ndx);
+		if (remove_source_files) {
+			if (local_server)
+				send_msg(MSG_SUCCESS, num_dev_ino_buf, sizeof num_dev_ino_buf, -1);
+			else
+				send_msg_int(MSG_SUCCESS, ndx);
+		}
 		/* FALL THROUGH */
 	case FES_NO_SEND:
 #ifdef SUPPORT_HARD_LINKS
@@ -1125,8 +1161,8 @@ void set_io_timeout(int secs)
 
 static void check_for_d_option_error(const char *msg)
 {
-	static char rsync263_opts[] = "BCDHIKLPRSTWabceghlnopqrtuvxz";
-	char *colon;
+	static const char rsync263_opts[] = "BCDHIKLPRSTWabceghlnopqrtuvxz";
+	const char *colon;
 	int saw_d = 0;
 
 	if (*msg != 'r'
@@ -1567,14 +1603,15 @@ static void read_a_msg(void)
 		}
 		break;
 	case MSG_SUCCESS:
-		if (msg_bytes != 4) {
+		if (msg_bytes != (local_server ? 4+8+8 : 4)) {
 		  invalid_msg:
 			rprintf(FERROR, "invalid multi-message %d:%lu [%s%s]\n",
 				tag, (unsigned long)msg_bytes, who_am_i(),
 				inc_recurse ? "/inc" : "");
 			exit_cleanup(RERR_STREAMIO);
 		}
-		val = raw_read_int();
+		raw_read_buf(num_dev_ino_buf, msg_bytes);
+		val = IVAL(num_dev_ino_buf, 0);
 		iobuf.in_multiplexed = 1;
 		if (am_generator)
 			got_flist_entry_status(FES_SUCCESS, val);
@@ -1751,6 +1788,13 @@ int32 read_int(int f)
 	return num;
 }
 
+uint32 read_uint(int f)
+{
+	char b[4];
+	read_buf(f, b, 4);
+	return IVAL(b, 0);
+}
+
 int32 read_varint(int f)
 {
 	union {
@@ -1824,6 +1868,45 @@ int64 read_varlong(int f, uchar min_bytes)
 	return u.x;
 }
 
+/* Read an int32 and verify lo <= v <= hi. On out-of-range, abort with a
+ * protocol error naming "what". The bound is co-located with the read so it
+ * cannot be forgotten by a downstream user. */
+int32 read_int_bounded(int f, int32 lo, int32 hi, const char *what)
+{
+	int32 v = read_int(f);
+	if (v < lo || v > hi) {
+		rprintf(FERROR, "wire value %s out of range: %ld not in [%ld,%ld] [%s]\n",
+			what, (long)v, (long)lo, (long)hi, who_am_i());
+		exit_cleanup(RERR_PROTOCOL);
+	}
+	return v;
+}
+
+/* As read_int_bounded but for varint-encoded values. */
+int32 read_varint_bounded(int f, int32 lo, int32 hi, const char *what)
+{
+	int32 v = read_varint(f);
+	if (v < lo || v > hi) {
+		rprintf(FERROR, "wire value %s out of range: %ld not in [%ld,%ld] [%s]\n",
+			what, (long)v, (long)lo, (long)hi, who_am_i());
+		exit_cleanup(RERR_PROTOCOL);
+	}
+	return v;
+}
+
+/* Read a varint that will be used as a size_t. Rejects negative values
+ * (which would wrap to ~SIZE_MAX) and values exceeding the supplied max. */
+size_t read_varint_size(int f, size_t max, const char *what)
+{
+	int32 v = read_varint(f);
+	if (v < 0 || (size_t)v > max) {
+		rprintf(FERROR, "wire size %s out of range: %ld > %lu [%s]\n",
+			what, (long)v, (unsigned long)max, who_am_i());
+		exit_cleanup(RERR_PROTOCOL);
+	}
+	return (size_t)v;
+}
+
 int64 read_longint(int f)
 {
 #if SIZEOF_INT64 >= 8
@@ -1843,6 +1926,7 @@ int64 read_longint(int f)
 #endif
 }
 
+/* Debugging note: this will be named read_buf_() when using an external zlib. */
 void read_buf(int f, char *buf, size_t len)
 {
 	if (f != iobuf.in_fd) {
@@ -1929,6 +2013,21 @@ void read_sum_head(int f, struct sum_struct *sum)
 			(long)sum->count, who_am_i());
 		exit_cleanup(RERR_PROTOCOL);
 	}
+	/* Guard against integer overflow in downstream allocations sized by
+	 * count*element_size. my_alloc uses divide-not-multiply so it is
+	 * already wraparound-safe, but checking here gives a clearer error
+	 * and also covers the (size_t)count * xfer_sum_len arithmetic that
+	 * is performed *before* reaching my_alloc. */
+	if (xfer_sum_len > 0 && (size_t)sum->count > SIZE_MAX / (size_t)xfer_sum_len) {
+		rprintf(FERROR, "Invalid checksum count %ld (too large) [%s]\n",
+			(long)sum->count, who_am_i());
+		exit_cleanup(RERR_PROTOCOL);
+	}
+	if ((size_t)sum->count > SIZE_MAX / sizeof(struct sum_buf)) {
+		rprintf(FERROR, "Invalid checksum count %ld (sum_buf overflow) [%s]\n",
+			(long)sum->count, who_am_i());
+		exit_cleanup(RERR_PROTOCOL);
+	}
 	sum->blength = read_int(f);
 	if (sum->blength < 0 || sum->blength > max_blength) {
 		rprintf(FERROR, "Invalid block length %ld [%s]\n",
@@ -1936,7 +2035,7 @@ void read_sum_head(int f, struct sum_struct *sum)
 		exit_cleanup(RERR_PROTOCOL);
 	}
 	sum->s2length = protocol_version < 27 ? csum_length : (int)read_int(f);
-	if (sum->s2length < 0 || sum->s2length > MAX_DIGEST_LEN) {
+	if (sum->s2length < 0 || sum->s2length > xfer_sum_len) {
 		rprintf(FERROR, "Invalid checksum length %d [%s]\n",
 			sum->s2length, who_am_i());
 		exit_cleanup(RERR_PROTOCOL);

lib/md-defines.h

@@ -1,11 +1,28 @@
 /* Keep this simple so both C and ASM can use it */
 
+/* These allow something like CFLAGS=-DDISABLE_SHA512_DIGEST */
+#ifdef DISABLE_SHA256_DIGEST
+#undef SHA256_DIGEST_LENGTH
+#endif
+#ifdef DISABLE_SHA512_DIGEST
+#undef SHA512_DIGEST_LENGTH
+#endif
+
 #define MD4_DIGEST_LEN 16
 #define MD5_DIGEST_LEN 16
+#if defined SHA512_DIGEST_LENGTH
+#define MAX_DIGEST_LEN SHA512_DIGEST_LENGTH
+#elif defined SHA256_DIGEST_LENGTH
+#define MAX_DIGEST_LEN SHA256_DIGEST_LENGTH
+#elif defined SHA_DIGEST_LENGTH
+#define MAX_DIGEST_LEN SHA_DIGEST_LENGTH
+#else
 #define MAX_DIGEST_LEN MD5_DIGEST_LEN
+#endif
 
 #define CSUM_CHUNK 64
 
+#define CSUM_gone -1
 #define CSUM_NONE 0
 #define CSUM_MD4_ARCHAIC 1
 #define CSUM_MD4_BUSTED 2
@@ -15,3 +32,6 @@
 #define CSUM_XXH64 6
 #define CSUM_XXH3_64 7
 #define CSUM_XXH3_128 8
+#define CSUM_SHA1 9
+#define CSUM_SHA256 10
+#define CSUM_SHA512 11

lib/md5-asm-x86_64.S

@@ -27,7 +27,7 @@
 #include "config.h"
 #include "md-defines.h"
 
-#if !defined USE_OPENSSL && CSUM_CHUNK == 64
+#ifdef USE_MD5_ASM /* { */
 
 #ifdef __APPLE__
 #define md5_process_asm _md5_process_asm
@@ -698,4 +698,4 @@ md5_process_asm:
 	pop	%rbp
 	ret
 
-#endif /* !USE_OPENSSL ... */
+#endif /* } USE_MD5_ASM */

lib/md5.c

@@ -2,7 +2,7 @@
  * RFC 1321 compliant MD5 implementation
  *
  * Copyright (C) 2001-2003 Christophe Devine
- * Copyright (C) 2007-2020 Wayne Davison
+ * Copyright (C) 2007-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -20,7 +20,6 @@
 
 #include "rsync.h"
 
-#ifndef USE_OPENSSL
 void md5_begin(md_context *ctx)
 {
 	ctx->A = 0x67452301;
@@ -148,7 +147,10 @@ static void md5_process(md_context *ctx, const uchar data[CSUM_CHUNK])
 	ctx->D += D;
 }
 
-#if defined HAVE_ASM && CSUM_CHUNK == 64
+#ifdef USE_MD5_ASM
+#if CSUM_CHUNK != 64
+#error The MD5 ASM code does not support CSUM_CHUNK != 64
+#endif
 extern void md5_process_asm(md_context *ctx, const void *data, size_t num);
 #endif
 
@@ -176,20 +178,20 @@ void md5_update(md_context *ctx, const uchar *input, uint32 length)
 		left = 0;
 	}
 
-#if defined HAVE_ASM && CSUM_CHUNK == 64
+#ifdef USE_MD5_ASM /* { */
 	if (length >= CSUM_CHUNK) {
 		uint32 chunks = length / CSUM_CHUNK;
 		md5_process_asm(ctx, input, chunks);
 		length -= chunks * CSUM_CHUNK;
 		input += chunks * CSUM_CHUNK;
 	}
-#else
+#else /* } { */
 	while (length >= CSUM_CHUNK) {
 		md5_process(ctx, input);
 		length -= CSUM_CHUNK;
 		input  += CSUM_CHUNK;
 	}
-#endif
+#endif /* } */
 
 	if (length)
 		memcpy(ctx->buffer + left, input, length);
@@ -221,9 +223,8 @@ void md5_result(md_context *ctx, uchar digest[MD5_DIGEST_LEN])
 	SIVALu(digest, 8, ctx->C);
 	SIVALu(digest, 12, ctx->D);
 }
-#endif
 
-#ifdef TEST_MD5
+#ifdef TEST_MD5 /* { */
 
 void get_md5(uchar *out, const uchar *input, int n)
 {
@@ -317,4 +318,4 @@ int main(int argc, char *argv[])
 	return 0;
 }
 
-#endif
+#endif /* } */

lib/mdigest.h

@@ -1,8 +1,8 @@
 /* The include file for both the MD4 and MD5 routines. */
 
 #ifdef USE_OPENSSL
-#include "openssl/md4.h"
-#include "openssl/md5.h"
+#include <openssl/sha.h>
+#include <openssl/evp.h>
 #endif
 #include "md-defines.h"
 
@@ -17,13 +17,6 @@ void mdfour_begin(md_context *md);
 void mdfour_update(md_context *md, const uchar *in, uint32 length);
 void mdfour_result(md_context *md, uchar digest[MD4_DIGEST_LEN]);
 
-#ifndef USE_OPENSSL
-#define MD5_CTX md_context
-#define MD5_Init md5_begin
-#define MD5_Update md5_update
-#define MD5_Final(digest, cptr) md5_result(cptr, digest)
-
 void md5_begin(md_context *ctx);
 void md5_update(md_context *ctx, const uchar *input, uint32 length);
 void md5_result(md_context *ctx, uchar digest[MD5_DIGEST_LEN]);
-#endif

lib/pool_alloc.c

@@ -9,7 +9,7 @@ struct alloc_pool
 	size_t			size;		/* extent size		*/
 	size_t			quantum;	/* allocation quantum	*/
 	struct pool_extent	*extents;	/* top extent is "live" */
-	void			(*bomb)();	/* called if malloc fails */
+	void			(*bomb)(const char*, const char*, int);	/* called if malloc fails */
 	int			flags;
 
 	/* statistical data */

lib/sysacls.c

@@ -2,7 +2,7 @@
  * Unix SMB/CIFS implementation.
  * Based on the Samba ACL support code.
  * Copyright (C) Jeremy Allison 2000.
- * Copyright (C) 2007-2020 Wayne Davison
+ * Copyright (C) 2007-2022 Wayne Davison
  *
  * The permission functions have been changed to get/set all bits via
  * one call.  Some functions that rsync doesn't need were also removed.
@@ -175,7 +175,7 @@ int sys_acl_delete_def_file(const char *name)
 	return acl_delete_def_file(name);
 }
 
-int sys_acl_free_acl(SMB_ACL_T the_acl) 
+int sys_acl_free_acl(SMB_ACL_T the_acl)
 {
 	return acl_free(the_acl);
 }
@@ -185,7 +185,7 @@ int sys_acl_free_acl(SMB_ACL_T the_acl)
  * The interface to DEC/Compaq Tru64 UNIX ACLs
  * is based on Draft 13 of the POSIX spec which is
  * slightly different from the Draft 16 interface.
- * 
+ *
  * Also, some of the permset manipulation functions
  * such as acl_clear_perm() and acl_add_perm() appear
  * to be broken on Tru64 so we have to manipulate
@@ -310,7 +310,7 @@ int sys_acl_delete_def_file(const char *name)
 	return acl_delete_def_file((char *)name);
 }
 
-int sys_acl_free_acl(SMB_ACL_T the_acl) 
+int sys_acl_free_acl(SMB_ACL_T the_acl)
 {
 	return acl_free(the_acl);
 }
@@ -457,7 +457,7 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 			break;
 	}
 	ndefault = count - naccess;
-	
+
 	/*
 	 * if the caller wants the default ACL we have to copy
 	 * the entries down to the start of the acl[] buffer
@@ -517,7 +517,7 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 		if (acl_d->acl[naccess].a_type & ACL_DEFAULT)
 			break;
 	}
-	
+
 	acl_d->count = naccess;
 
 	return acl_d;
@@ -532,7 +532,7 @@ int sys_acl_get_info(SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T *tag_type_p, uint32 *b
 
 	if (*tag_type_p == SMB_ACL_USER || *tag_type_p == SMB_ACL_GROUP)
 		*u_g_id_p = entry->a_id;
-	
+
 	return 0;
 }
 
@@ -633,7 +633,7 @@ static int acl_sort(SMB_ACL_T acl_d)
 	}
 	return 0;
 }
- 
+
 int sys_acl_valid(SMB_ACL_T acl_d)
 {
 	return acl_sort(acl_d);
@@ -755,11 +755,11 @@ int sys_acl_delete_def_file(const char *path)
 	ret = acl(path, SETACL, acl_d->count, acl_d->acl);
 
 	sys_acl_free_acl(acl_d);
-	
+
 	return ret;
 }
 
-int sys_acl_free_acl(SMB_ACL_T acl_d) 
+int sys_acl_free_acl(SMB_ACL_T acl_d)
 {
 	SAFE_FREE(acl_d);
 	return 0;
@@ -895,10 +895,10 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 	int		ndefault;	/* # of default ACL entries	*/
 
 	if (hpux_acl_call_presence() == False) {
-		/* Looks like we don't have the acl() system call on HPUX. 
+		/* Looks like we don't have the acl() system call on HPUX.
 		 * May be the system doesn't have the latest version of JFS.
 		 */
-		return NULL; 
+		return NULL;
 	}
 
 	if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
@@ -949,7 +949,7 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 			break;
 	}
 	ndefault = count - naccess;
-	
+
 	/*
 	 * if the caller wants the default ACL we have to copy
 	 * the entries down to the start of the acl[] buffer
@@ -1109,9 +1109,9 @@ struct hpux_acl_types {
  * aclp           - Array of ACL structures.
  * acl_type_count - Pointer to acl_types structure. Should already be
  *                  allocated.
- * Output: 
+ * Output:
  *
- * acl_type_count - This structure is filled up with counts of various 
+ * acl_type_count - This structure is filled up with counts of various
  *                  acl types.
  */
 
@@ -1123,28 +1123,28 @@ static void hpux_count_obj(int acl_count, struct acl *aclp, struct hpux_acl_type
 
 	for (i = 0; i < acl_count; i++) {
 		switch (aclp[i].a_type) {
-		case USER: 
+		case USER:
 			acl_type_count->n_user++;
 			break;
-		case USER_OBJ: 
+		case USER_OBJ:
 			acl_type_count->n_user_obj++;
 			break;
-		case DEF_USER_OBJ: 
+		case DEF_USER_OBJ:
 			acl_type_count->n_def_user_obj++;
 			break;
-		case GROUP: 
+		case GROUP:
 			acl_type_count->n_group++;
 			break;
-		case GROUP_OBJ: 
+		case GROUP_OBJ:
 			acl_type_count->n_group_obj++;
 			break;
-		case DEF_GROUP_OBJ: 
+		case DEF_GROUP_OBJ:
 			acl_type_count->n_def_group_obj++;
 			break;
-		case OTHER_OBJ: 
+		case OTHER_OBJ:
 			acl_type_count->n_other_obj++;
 			break;
-		case DEF_OTHER_OBJ: 
+		case DEF_OTHER_OBJ:
 			acl_type_count->n_def_other_obj++;
 			break;
 		case CLASS_OBJ:
@@ -1159,14 +1159,14 @@ static void hpux_count_obj(int acl_count, struct acl *aclp, struct hpux_acl_type
 		case DEF_GROUP:
 			acl_type_count->n_def_group++;
 			break;
-		default: 
+		default:
 			acl_type_count->n_illegal_obj++;
 			break;
 		}
 	}
 }
 
-/* swap_acl_entries:  Swaps two ACL entries. 
+/* swap_acl_entries:  Swaps two ACL entries.
  *
  * Inputs: aclp0, aclp1 - ACL entries to be swapped.
  */
@@ -1189,25 +1189,25 @@ static void hpux_swap_acl_entries(struct acl *aclp0, struct acl *aclp1)
 }
 
 /* prohibited_duplicate_type
- * Identifies if given ACL type can have duplicate entries or 
+ * Identifies if given ACL type can have duplicate entries or
  * not.
  *
  * Inputs: acl_type - ACL Type.
  *
- * Outputs: 
+ * Outputs:
  *
- * Return.. 
+ * Return..
  *
  * True - If the ACL type matches any of the prohibited types.
  * False - If the ACL type doesn't match any of the prohibited types.
- */ 
+ */
 
 static BOOL hpux_prohibited_duplicate_type(int acl_type)
 {
 	switch (acl_type) {
 	case USER:
 	case GROUP:
-	case DEF_USER: 
+	case DEF_USER:
 	case DEF_GROUP:
 		return True;
 	default:
@@ -1217,7 +1217,7 @@ static BOOL hpux_prohibited_duplicate_type(int acl_type)
 
 /* get_needed_class_perm
  * Returns the permissions of a ACL structure only if the ACL
- * type matches one of the pre-determined types for computing 
+ * type matches one of the pre-determined types for computing
  * CLASS_OBJ permissions.
  *
  * Inputs: aclp - Pointer to ACL structure.
@@ -1226,17 +1226,17 @@ static BOOL hpux_prohibited_duplicate_type(int acl_type)
 static int hpux_get_needed_class_perm(struct acl *aclp)
 {
 	switch (aclp->a_type) {
-	case USER: 
-	case GROUP_OBJ: 
-	case GROUP: 
-	case DEF_USER_OBJ: 
+	case USER:
+	case GROUP_OBJ:
+	case GROUP:
+	case DEF_USER_OBJ:
 	case DEF_USER:
-	case DEF_GROUP_OBJ: 
+	case DEF_GROUP_OBJ:
 	case DEF_GROUP:
 	case DEF_CLASS_OBJ:
-	case DEF_OTHER_OBJ: 
+	case DEF_OTHER_OBJ:
 		return aclp->a_perm;
-	default: 
+	default:
 		return 0;
 	}
 }
@@ -1267,15 +1267,15 @@ static int hpux_acl_sort(int acl_count, int calclass, struct acl *aclp)
 #if !defined(HAVE_HPUX_ACLSORT)
 	/*
 	 * The aclsort() system call is available on the latest HPUX General
-	 * Patch Bundles. So for HPUX, we developed our version of acl_sort 
-	 * function. Because, we don't want to update to a new 
+	 * Patch Bundles. So for HPUX, we developed our version of acl_sort
+	 * function. Because, we don't want to update to a new
 	 * HPUX GR bundle just for aclsort() call.
 	 */
 
 	struct hpux_acl_types acl_obj_count;
 	int n_class_obj_perm = 0;
 	int i, j;
- 
+
 	if (!acl_count) {
 		DEBUG(10, ("Zero acl count passed. Returning Success\n"));
 		return 0;
@@ -1290,8 +1290,8 @@ static int hpux_acl_sort(int acl_count, int calclass, struct acl *aclp)
 
 	hpux_count_obj(acl_count, aclp, &acl_obj_count);
 
-	/* There should be only one entry each of type USER_OBJ, GROUP_OBJ, 
-	 * CLASS_OBJ and OTHER_OBJ 
+	/* There should be only one entry each of type USER_OBJ, GROUP_OBJ,
+	 * CLASS_OBJ and OTHER_OBJ
 	 */
 
 	if (acl_obj_count.n_user_obj != 1
@@ -1313,15 +1313,15 @@ or DEF_USER_OBJ or DEF_GROUP_OBJ or DEF_OTHER_OBJ\n"));
 		return -1;
 	}
 
-	/* We now have proper number of OBJ and DEF_OBJ entries. Now sort the acl 
-	 * structures.  
+	/* We now have proper number of OBJ and DEF_OBJ entries. Now sort the acl
+	 * structures.
 	 *
 	 * Sorting crieteria - First sort by ACL type. If there are multiple entries of
 	 * same ACL type, sort by ACL id.
 	 *
-	 * I am using the trivial kind of sorting method here because, performance isn't 
+	 * I am using the trivial kind of sorting method here because, performance isn't
 	 * really effected by the ACLs feature. More over there aren't going to be more
-	 * than 17 entries on HPUX. 
+	 * than 17 entries on HPUX.
 	 */
 
 	for (i = 0; i < acl_count; i++) {
@@ -1390,7 +1390,7 @@ static int acl_sort(SMB_ACL_T acl_d)
 	}
 	return 0;
 }
- 
+
 int sys_acl_valid(SMB_ACL_T acl_d)
 {
 	return acl_sort(acl_d);
@@ -1405,11 +1405,11 @@ int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
 	int		ret;
 
 	if (hpux_acl_call_presence() == False) {
-		/* Looks like we don't have the acl() system call on HPUX. 
+		/* Looks like we don't have the acl() system call on HPUX.
 		 * May be the system doesn't have the latest version of JFS.
 		 */
 		errno=ENOSYS;
-		return -1; 
+		return -1;
 	}
 
 	if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
@@ -1538,11 +1538,11 @@ int sys_acl_delete_def_file(const char *path)
 	ret = acl(path, ACL_SET, acl_d->count, acl_d->acl);
 
 	sys_acl_free_acl(acl_d);
-	
+
 	return ret;
 }
 
-int sys_acl_free_acl(SMB_ACL_T acl_d) 
+int sys_acl_free_acl(SMB_ACL_T acl_d)
 {
 	free(acl_d);
 	return 0;
@@ -1723,7 +1723,7 @@ int sys_acl_delete_def_file(const char *name)
 	return acl_delete_def_file(name);
 }
 
-int sys_acl_free_acl(SMB_ACL_T acl_d) 
+int sys_acl_free_acl(SMB_ACL_T acl_d)
 {
 	if (acl_d->freeaclp) {
 		acl_free(acl_d->aclp);
@@ -1834,12 +1834,12 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 	}
 
 	/* Get the acl using statacl */
- 
+
 	DEBUG(10, ("Entering sys_acl_get_file\n"));
 	DEBUG(10, ("path_p is %s\n", path_p));
 
 	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
- 
+
 	if (file_acl == NULL) {
 		errno=ENOMEM;
 		DEBUG(0, ("Error in AIX sys_acl_get_file: %d\n", errno));
@@ -1931,9 +1931,9 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 			 * to be specified but, it's better than leaving it 0 */
 
 			acl_entry_link->entryp->ace_type = acl_entry->ace_type;
- 
+
 			acl_entry_link->entryp->ace_access = acl_entry->ace_access;
- 
+
 			memcpy(acl_entry_link->entryp->ace_id, idp, sizeof (struct ace_id));
 
 			/* The access in the acl entries must be left shifted by *
@@ -1962,7 +1962,7 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 
 			DEBUG(10, ("acl_entry = %d\n", acl_entry));
 			DEBUG(10, ("The ace_type is %d\n", acl_entry->ace_type));
- 
+
 			acl_entry = acl_nxt(acl_entry);
 		}
 	} /* end of if enabled */
@@ -2014,12 +2014,12 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 			new_acl_entry->ace_access = file_acl->o_access << 6;
 			idp->id_type = SMB_ACL_OTHER;
 			break;
- 
+
 		case 1:
 			new_acl_entry->ace_access = file_acl->u_access << 6;
 			idp->id_type = SMB_ACL_USER_OBJ;
 			break;
- 
+
 		default:
 			return NULL;
 
@@ -2048,7 +2048,7 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 	int rc = 0;
 
 	/* Get the acl using fstatacl */
-   
+
 	DEBUG(10, ("Entering sys_acl_get_fd\n"));
 	DEBUG(10, ("fd is %d\n", fd));
 	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
@@ -2095,12 +2095,12 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 
 	DEBUG(10, ("acl_entry is %d\n", acl_entry));
 	DEBUG(10, ("acl_last(file_acl) id %d\n", acl_last(file_acl)));
- 
+
 	/* Check if the extended acl bit is on.   *
 	 * If it isn't, do not show the           *
 	 * contents of the acl since AIX intends  *
 	 * the extended info to remain unused     */
- 
+
 	if (file_acl->acl_mode & S_IXACL){
 		/* while we are not pointing to the very end */
 		while (acl_entry < acl_last(file_acl)) {
@@ -2115,7 +2115,7 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 			}
 
 			idp = acl_entry->ace_id;
- 
+
 			/* Check if this is the first entry in the linked list. *
 			 * The first entry needs to keep prevp pointing to NULL *
 			 * and already has entryp allocated.                 */
@@ -2177,7 +2177,7 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 
 			DEBUG(10, ("acl_entry = %d\n", acl_entry));
 			DEBUG(10, ("The ace_type is %d\n", acl_entry->ace_type));
- 
+
 			acl_entry = acl_nxt(acl_entry);
 		}
 	} /* end of if enabled */
@@ -2210,43 +2210,43 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 		}
 
 		acl_entry_link->nextp = NULL;
- 
+
 		new_acl_entry = acl_entry_link->entryp;
 		idp = new_acl_entry->ace_id;
- 
+
 		new_acl_entry->ace_len = sizeof (struct acl_entry);
 		new_acl_entry->ace_type = ACC_PERMIT;
 		idp->id_len = sizeof (struct ace_id);
 		DEBUG(10, ("idp->id_len = %d\n", idp->id_len));
 		memset(idp->id_data, 0, sizeof (uid_t));
- 
+
 		switch (i) {
 		case 2:
 			new_acl_entry->ace_access = file_acl->g_access << 6;
 			idp->id_type = SMB_ACL_GROUP_OBJ;
 			break;
- 
+
 		case 3:
 			new_acl_entry->ace_access = file_acl->o_access << 6;
 			idp->id_type = SMB_ACL_OTHER;
 			break;
- 
+
 		case 1:
 			new_acl_entry->ace_access = file_acl->u_access << 6;
 			idp->id_type = SMB_ACL_USER_OBJ;
 			break;
- 
+
 		default:
 			return NULL;
 		}
- 
+
 		acl_entry_link_head->count++;
 		DEBUG(10, ("new_acl_entry->ace_access = %d\n", new_acl_entry->ace_access));
 	}
 
 	acl_entry_link_head->count = 0;
 	SAFE_FREE(file_acl);
- 
+
 	return acl_entry_link_head;
 }
 #endif
@@ -2274,7 +2274,7 @@ int sys_acl_get_info(SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T *tag_type_p, uint32 *b
 SMB_ACL_T sys_acl_init(int count)
 {
 	struct acl_entry_link *theacl = NULL;
- 
+
 	if (count < 0) {
 		errno = EINVAL;
 		return NULL;
@@ -2383,9 +2383,9 @@ int sys_acl_valid(SMB_ACL_T theacl)
 	}
 
 	DEBUG(10, ("user_obj=%d, group_obj=%d, other_obj=%d\n", user_obj, group_obj, other_obj));
- 
+
 	if (user_obj != 1 || group_obj != 1 || other_obj != 1)
-		return -1; 
+		return -1;
 
 	return 0;
 }
@@ -2404,7 +2404,7 @@ int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
 
 	DEBUG(10, ("Entering sys_acl_set_file\n"));
 	DEBUG(10, ("File name is %s\n", name));
- 
+
 	/* AIX has no default ACL */
 	if (acltype == SMB_ACL_TYPE_DEFAULT)
 		return 0;
@@ -2449,7 +2449,7 @@ int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
 				errno = ENOMEM;
 				DEBUG(0, ("Error in sys_acl_set_file is %d\n", errno));
 				return -1;
-			}  
+			}
 
 			memcpy(file_acl_temp, file_acl, file_acl->acl_len);
 			SAFE_FREE(file_acl);
@@ -2460,15 +2460,15 @@ int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
 		file_acl->acl_len += sizeof (struct acl_entry);
 		acl_entry->ace_len = acl_entry_link->entryp->ace_len;
 		acl_entry->ace_access = acl_entry_link->entryp->ace_access;
- 
+
 		/* In order to use this, we'll need to wait until we can get denies */
 		/* if (!acl_entry->ace_access && acl_entry->ace_type == ACC_PERMIT)
 			acl_entry->ace_type = ACC_SPECIFY; */
 
 		acl_entry->ace_type = ACC_SPECIFY;
- 
+
 		ace_id = acl_entry->ace_id;
- 
+
 		ace_id->id_type = acl_entry_link->entryp->ace_id->id_type;
 		DEBUG(10, ("The id type is %d\n", ace_id->id_type));
 		ace_id->id_len = acl_entry_link->entryp->ace_id->id_len;
@@ -2496,7 +2496,7 @@ int sys_acl_set_fd(int fd, SMB_ACL_T theacl)
 	uint user_id;
 	uint acl_length;
 	uint rc;
- 
+
 	DEBUG(10, ("Entering sys_acl_set_fd\n"));
 	acl_length = BUFSIZ;
 	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
@@ -2508,7 +2508,7 @@ int sys_acl_set_fd(int fd, SMB_ACL_T theacl)
 	}
 
 	memset(file_acl, 0, BUFSIZ);
- 
+
 	file_acl->acl_len = ACL_SIZ;
 	file_acl->acl_mode = S_IXACL;
 
@@ -2550,22 +2550,22 @@ int sys_acl_set_fd(int fd, SMB_ACL_T theacl)
 		file_acl->acl_len += sizeof (struct acl_entry);
 		acl_entry->ace_len = acl_entry_link->entryp->ace_len;
 		acl_entry->ace_access = acl_entry_link->entryp->ace_access;
- 
+
 		/* In order to use this, we'll need to wait until we can get denies */
 		/* if (!acl_entry->ace_access && acl_entry->ace_type == ACC_PERMIT)
 			acl_entry->ace_type = ACC_SPECIFY; */
- 
+
 		acl_entry->ace_type = ACC_SPECIFY;
- 
+
 		ace_id = acl_entry->ace_id;
- 
+
 		ace_id->id_type = acl_entry_link->entryp->ace_id->id_type;
 		DEBUG(10, ("The id type is %d\n", ace_id->id_type));
 		ace_id->id_len = acl_entry_link->entryp->ace_id->id_len;
 		memcpy(&user_id, acl_entry_link->entryp->ace_id->id_data, sizeof (uid_t));
 		memcpy(ace_id->id_data, &user_id, sizeof (uid_t));
 	}
- 
+
 	rc = fchacl(fd, file_acl, file_acl->acl_len);
 	DEBUG(10, ("errno is %d\n", errno));
 	DEBUG(10, ("return code is %d\n", rc));
@@ -2594,7 +2594,7 @@ int sys_acl_free_acl(SMB_ACL_T posix_acl)
 	SAFE_FREE(acl_entry_link->prevp);
 	SAFE_FREE(acl_entry_link->entryp);
 	SAFE_FREE(acl_entry_link);
- 
+
 	return 0;
 }
 

lib/sysacls.h

@@ -3,7 +3,7 @@
  * Version 2.2.x
  * Portable SMB ACL interface
  * Copyright (C) Jeremy Allison 2000
- * Copyright (C) 2007-2020 Wayne Davison
+ * Copyright (C) 2007-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -232,7 +232,7 @@ struct new_acl_entry{
 
 #define SMB_ACL_ENTRY_T		struct new_acl_entry*
 #define SMB_ACL_T		struct acl_entry_link*
- 
+
 #define SMB_ACL_TAG_T		unsigned short
 #define SMB_ACL_TYPE_T		int
 

loadparm.c

@@ -178,7 +178,7 @@ static char *expand_vars(const char *str)
 
 	for (t = buf, f = str; bufsize && *f; ) {
 		if (*f == '%' && isUpper(f+1)) {
-			char *percent = strchr(f+1, '%');
+			const char *percent = strchr(f+1, '%');
 			if (percent && percent - f < bufsize) {
 				char *val;
 				strlcpy(t, f+1, percent - f);

log.c

@@ -36,8 +36,6 @@ extern int protocol_version;
 extern int always_checksum;
 extern int preserve_mtimes;
 extern int msgs2stderr;
-extern int xfersum_type;
-extern int checksum_type;
 extern int stdout_format_has_i;
 extern int stdout_format_has_o_or_i;
 extern int logfile_format_has_i;
@@ -62,6 +60,8 @@ extern unsigned int module_dirlen;
 extern char sender_file_sum[MAX_DIGEST_LEN];
 extern const char undetermined_hostname[];
 
+extern struct name_num_item *xfer_sum_nni, *file_sum_nni;
+
 static int log_initialised;
 static int logfile_was_closed;
 static FILE *logfile_fp;
@@ -456,11 +456,17 @@ void rsyserr(enum logcode code, int errcode, const char *format, ...)
 	char buf[BIGPATHBUFLEN];
 	size_t len;
 
+	/* snprintf returns the would-have-been length on truncation, so
+	 * each cumulative call must be guarded; if not, sizeof buf - len
+	 * can underflow when promoted to size_t and the next call writes
+	 * past the buffer. */
 	len = snprintf(buf, sizeof buf, RSYNC_NAME ": [%s] ", who_am_i());
 
-	va_start(ap, format);
-	len += vsnprintf(buf + len, sizeof buf - len, format, ap);
-	va_end(ap);
+	if (len < sizeof buf) {
+		va_start(ap, format);
+		len += vsnprintf(buf + len, sizeof buf - len, format, ap);
+		va_end(ap);
+	}
 
 	if (len < sizeof buf) {
 		len += snprintf(buf + len, sizeof buf - len,
@@ -680,12 +686,12 @@ static void log_formatted(enum logcode code, const char *format, const char *op,
 			n = NULL;
 			if (S_ISREG(file->mode)) {
 				if (always_checksum)
-					n = sum_as_hex(checksum_type, F_SUM(file), 1);
+					n = sum_as_hex(file_sum_nni->num, F_SUM(file), 1);
 				else if (iflags & ITEM_TRANSFER)
-					n = sum_as_hex(xfersum_type, sender_file_sum, 0);
+					n = sum_as_hex(xfer_sum_nni->num, sender_file_sum, 0);
 			}
 			if (!n) {
-				int sum_len = csum_len_for_type(always_checksum ? checksum_type : xfersum_type,
+				int sum_len = csum_len_for_type(always_checksum ? file_sum_nni->num : xfer_sum_nni->num,
 								always_checksum);
 				memset(buf2, ' ', sum_len*2);
 				buf2[sum_len*2] = '\0';

m4/have_type.m4

@@ -1,6 +1,5 @@
 dnl AC_HAVE_TYPE(TYPE,INCLUDES)
 AC_DEFUN([AC_HAVE_TYPE], [
-AC_REQUIRE([AC_HEADER_STDC])
 cv=`echo "$1" | sed 'y%./+- %__p__%'`
 AC_MSG_CHECKING(for $1)
 AC_CACHE_VAL([ac_cv_type_$cv],

main.c

@@ -104,7 +104,7 @@ extern char curr_dir[MAXPATHLEN];
 extern char backup_dir_buf[MAXPATHLEN];
 extern char *basis_dir[MAX_BASIS_DIRS+1];
 extern struct file_list *first_flist;
-extern filter_rule_list daemon_filter_list;
+extern filter_rule_list daemon_filter_list, implied_filter_list;
 
 uid_t our_uid;
 gid_t our_gid;
@@ -237,11 +237,11 @@ void write_del_stats(int f)
 
 void read_del_stats(int f)
 {
-	stats.deleted_files = read_varint(f);
-	stats.deleted_files += stats.deleted_dirs = read_varint(f);
-	stats.deleted_files += stats.deleted_symlinks = read_varint(f);
-	stats.deleted_files += stats.deleted_devices = read_varint(f);
-	stats.deleted_files += stats.deleted_specials = read_varint(f);
+	stats.deleted_files = read_varint_bounded(f, 0, MAX_WIRE_DEL_STAT, "deleted_files");
+	stats.deleted_files += stats.deleted_dirs = read_varint_bounded(f, 0, MAX_WIRE_DEL_STAT, "deleted_dirs");
+	stats.deleted_files += stats.deleted_symlinks = read_varint_bounded(f, 0, MAX_WIRE_DEL_STAT, "deleted_symlinks");
+	stats.deleted_files += stats.deleted_devices = read_varint_bounded(f, 0, MAX_WIRE_DEL_STAT, "deleted_devices");
+	stats.deleted_files += stats.deleted_specials = read_varint_bounded(f, 0, MAX_WIRE_DEL_STAT, "deleted_specials");
 }
 
 static void become_copy_as_user()
@@ -392,9 +392,18 @@ static void output_itemized_counts(const char *prefix, int *counts)
 		counts[0] -= counts[1] + counts[2] + counts[3] + counts[4];
 		for (j = 0; j < 5; j++) {
 			if (counts[j]) {
+				/* snprintf can return more than its size arg
+				 * on truncation; keep len <= sizeof buf - 2 so
+				 * the closing ')' and trailing NUL always
+				 * have room and the next iteration's
+				 * sizeof buf - len - 2 cannot underflow. */
+				if (len >= (int)sizeof buf - 2)
+					break;
 				len += snprintf(buf+len, sizeof buf - len - 2,
 					"%s%s: %s",
 					pre, labels[j], comma_num(counts[j]));
+				if (len > (int)sizeof buf - 2)
+					len = (int)sizeof buf - 2;
 				pre = ", ";
 			}
 		}
@@ -660,6 +669,16 @@ static pid_t do_cmd(char *cmd, char *machine, char *user, char **remote_argv, in
 	return pid;
 }
 
+/* Older versions turn an empty string as a reference to the current directory.
+ * We now treat this as an error unless --old-args was used. */
+static char *dot_dir_or_error()
+{
+	if (old_style_args || am_server)
+		return ".";
+	rprintf(FERROR, "Empty destination arg specified (use \".\" or see --old-args).\n");
+	exit_cleanup(RERR_SYNTAX);
+}
+
 /* The receiving side operates in one of two modes:
  *
  * 1. it receives any number of files into a destination directory,
@@ -687,9 +706,8 @@ static char *get_local_name(struct file_list *flist, char *dest_path)
 	if (!dest_path || list_only)
 		return NULL;
 
-	/* Treat an empty string as a copy into the current directory. */
 	if (!*dest_path)
-		dest_path = ".";
+		dest_path = dot_dir_or_error();
 
 	if (daemon_filter_list.head) {
 		char *slash = strrchr(dest_path, '/');
@@ -1076,6 +1094,7 @@ static int do_recv(int f_in, int f_out, char *local_name)
 	}
 
 	am_generator = 1;
+	implied_filter_list.head = implied_filter_list.tail = NULL;
 	flist_receiving_enabled = True;
 
 	io_end_multiplex_in(MPLX_SWITCHING);
@@ -1431,6 +1450,8 @@ static int start_client(int argc, char *argv[])
 
 			if (argc > 1) {
 				p = argv[--argc];
+				if (!*p)
+					p = dot_dir_or_error();
 				remote_argv = argv + argc;
 			} else {
 				static char *dotarg[1] = { "." };
@@ -1500,6 +1521,8 @@ static int start_client(int argc, char *argv[])
 		char *dummy_host;
 		int dummy_port = rsync_port;
 		int i;
+		if (filesfrom_fd < 0)
+			add_implied_include(remote_argv[0], daemon_connection);
 		/* For remote source, any extra source args must have either
 		 * the same hostname or an empty hostname. */
 		for (i = 1; i < remote_argc; i++) {
@@ -1523,6 +1546,7 @@ static int start_client(int argc, char *argv[])
 			if (!rsync_port && !*arg) /* Turn an empty arg into a dot dir. */
 				arg = ".";
 			remote_argv[i] = arg;
+			add_implied_include(arg, daemon_connection);
 		}
 	}
 
@@ -1553,6 +1577,10 @@ static int start_client(int argc, char *argv[])
 			shell_user = shell_machine;
 			shell_machine = p+1;
 		}
+		if (*shell_machine == '-') {
+			rprintf(FERROR, "Invalid remote host: hostnames may not start with '-'.\n");
+			exit_cleanup(RERR_SYNTAX);
+		}
 	}
 
 	if (DEBUG_GTE(CMD, 2)) {
@@ -1739,6 +1767,17 @@ int main(int argc,char *argv[])
 
 	unset_env_var("DISPLAY");
 
+#if defined USE_OPENSSL && defined SET_OPENSSL_CONF
+#define TO_STR2(x) #x
+#define TO_STR(x) TO_STR2(x)
+	/* ./configure --with-openssl-conf=/etc/ssl/openssl-rsync.cnf
+	 * defines SET_OPENSSL_CONF as that unquoted pathname. */
+	if (!getenv("OPENSSL_CONF")) /* Don't override it if it's already set. */
+		set_env_str("OPENSSL_CONF", TO_STR(SET_OPENSSL_CONF));
+#undef TO_STR
+#undef TO_STR2
+#endif
+
 	memset(&stats, 0, sizeof(stats));
 
 	/* Even a non-daemon runs needs the default config values to be set, e.g.

match.c

@@ -3,7 +3,7 @@
  *
  * Copyright (C) 1996 Andrew Tridgell
  * Copyright (C) 1996 Paul Mackerras
- * Copyright (C) 2003-2020 Wayne Davison
+ * Copyright (C) 2003-2022 Wayne Davison
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -24,7 +24,9 @@
 
 extern int checksum_seed;
 extern int append_mode;
-extern int xfersum_type;
+
+extern struct name_num_item *xfer_sum_nni;
+extern int xfer_sum_len;
 
 int updating_basis_file;
 char sender_file_sum[MAX_DIGEST_LEN];
@@ -145,6 +147,9 @@ static void hash_search(int f,struct sum_struct *s,
 	int more;
 	schar *map;
 
+	// prevent possible memory leaks
+	memset(sum2, 0, sizeof sum2);
+
 	/* want_i is used to encourage adjacent matches, allowing the RLL
 	 * coding of the output to work more efficiently. */
 	want_i = 0;
@@ -230,7 +235,7 @@ static void hash_search(int f,struct sum_struct *s,
 				done_csum2 = 1;
 			}
 
-			if (memcmp(sum2,s->sums[i].sum2,s->s2length) != 0) {
+			if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) {
 				false_alarms++;
 				continue;
 			}
@@ -250,7 +255,7 @@ static void hash_search(int f,struct sum_struct *s,
 					if (i != aligned_i) {
 						if (sum != s->sums[aligned_i].sum1
 						 || l != s->sums[aligned_i].len
-						 || memcmp(sum2, s->sums[aligned_i].sum2, s->s2length) != 0)
+						 || memcmp(sum2, sum2_at(s, aligned_i), s->s2length) != 0)
 							goto check_want_i;
 						i = aligned_i;
 					}
@@ -269,7 +274,7 @@ static void hash_search(int f,struct sum_struct *s,
 						if (sum != s->sums[i].sum1)
 							goto check_want_i;
 						get_checksum2((char *)map, l, sum2);
-						if (memcmp(sum2, s->sums[i].sum2, s->s2length) != 0)
+						if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0)
 							goto check_want_i;
 						/* OK, we have a re-alignment match.  Bump the offset
 						 * forward to the new match point. */
@@ -288,7 +293,7 @@ static void hash_search(int f,struct sum_struct *s,
 			 && (!updating_basis_file || s->sums[want_i].offset >= offset
 			  || s->sums[want_i].flags & SUMFLG_SAME_OFFSET)
 			 && sum == s->sums[want_i].sum1
-			 && memcmp(sum2, s->sums[want_i].sum2, s->s2length) == 0) {
+			 && memcmp(sum2, sum2_at(s, want_i), s->s2length) == 0) {
 				/* we've found an adjacent match - the RLL coder
 				 * will be happy */
 				i = want_i;
@@ -356,15 +361,13 @@ static void hash_search(int f,struct sum_struct *s,
  **/
 void match_sums(int f, struct sum_struct *s, struct map_struct *buf, OFF_T len)
 {
-	int sum_len;
-
 	last_match = 0;
 	false_alarms = 0;
 	hash_hits = 0;
 	matches = 0;
 	data_transfer = 0;
 
-	sum_init(xfersum_type, checksum_seed);
+	sum_init(xfer_sum_nni, checksum_seed);
 
 	if (append_mode > 0) {
 		if (append_mode == 2) {
@@ -405,22 +408,22 @@ void match_sums(int f, struct sum_struct *s, struct map_struct *buf, OFF_T len)
 		matched(f, s, buf, len, -1);
 	}
 
-	sum_len = sum_end(sender_file_sum);
+	sum_end(sender_file_sum);
 
 	/* If we had a read error, send a bad checksum.  We use all bits
 	 * off as long as the checksum doesn't happen to be that, in
 	 * which case we turn the last 0 bit into a 1. */
 	if (buf && buf->status != 0) {
 		int i;
-		for (i = 0; i < sum_len && sender_file_sum[i] == 0; i++) {}
-		memset(sender_file_sum, 0, sum_len);
-		if (i == sum_len)
+		for (i = 0; i < xfer_sum_len && sender_file_sum[i] == 0; i++) {}
+		memset(sender_file_sum, 0, xfer_sum_len);
+		if (i == xfer_sum_len)
 			sender_file_sum[i-1]++;
 	}
 
 	if (DEBUG_GTE(DELTASUM, 2))
 		rprintf(FINFO,"sending file_sum\n");
-	write_buf(f, sender_file_sum, sum_len);
+	write_buf(f, sender_file_sum, xfer_sum_len);
 
 	if (DEBUG_GTE(DELTASUM, 2)) {
 		rprintf(FINFO, "false_alarms=%d hash_hits=%d matches=%d\n",

md-convert

@@ -115,7 +115,8 @@ NBR_SPACE = ('\xa0', r"\ ")
 
 FILENAME_RE = re.compile(r'^(?P<fn>(?P<srcdir>.+/)?(?P<name>(?P<prog>[^/]+?)(\.(?P<sect>\d+))?)\.md)$')
 ASSIGNMENT_RE = re.compile(r'^(\w+)=(.+)')
-QUOTED_RE = re.compile(r'"(.+?)"')
+VER_RE = re.compile(r'^#define\s+RSYNC_VERSION\s+"(\d.+?)"', re.M)
+TZ_RE = re.compile(r'^#define\s+MAINTAINER_TZ_OFFSET\s+(-?\d+(\.\d+)?)', re.M)
 VAR_REF_RE = re.compile(r'\$\{(\w+)\}')
 VERSION_RE = re.compile(r' (\d[.\d]+)[, ]')
 BIN_CHARS_RE = re.compile(r'[\1-\7]+')
@@ -148,7 +149,7 @@ def parse_md_file(mdfn):
     fi = argparse.Namespace(**fi.groupdict())
     fi.want_manpage = not not fi.sect
     if fi.want_manpage:
-        fi.title = fi.prog + '(' + fi.sect + ') man page'
+        fi.title = fi.prog + '(' + fi.sect + ') manpage'
     else:
         fi.title = fi.prog + ' for rsync'
 
@@ -213,6 +214,7 @@ def find_man_substitutions():
         env_subs['VERSION'] = '1.0.0'
         env_subs['bindir'] = '/usr/bin'
         env_subs['libdir'] = '/usr/lib/rsync'
+        tz_offset = 0
     else:
         for fn in (srcdir + 'version.h', 'Makefile'):
             try:
@@ -224,8 +226,10 @@ def find_man_substitutions():
 
         with open(srcdir + 'version.h', 'r', encoding='utf-8') as fh:
             txt = fh.read()
-        m = QUOTED_RE.search(txt)
+        m = VER_RE.search(txt)
         env_subs['VERSION'] = m.group(1)
+        m = TZ_RE.search(txt) # the tzdata lib may not be installed, so we use a simple hour offset
+        tz_offset = float(m.group(1)) * 60 * 60
 
         with open('Makefile', 'r', encoding='utf-8') as fh:
             for line in fh:
@@ -241,7 +245,7 @@ def find_man_substitutions():
                 if var == 'srcdir':
                     break
 
-    env_subs['date'] = time.strftime('%d %b %Y', time.localtime(mtime))
+    env_subs['date'] = time.strftime('%d %b %Y', time.gmtime(mtime + tz_offset)).lstrip('0')
 
 
 def html_via_commonmark(txt):
@@ -350,7 +354,7 @@ class TransformHtml(HTMLParser):
             st.txt += BOLD_FONT[0]
         elif tag == 'em' or  tag == 'i':
             if st.want_manpage:
-                tag = 'u' # Change it into underline to be more like the man page
+                tag = 'u' # Change it into underline to be more like the manpage
                 st.txt += UNDR_FONT[0]
         elif tag == 'ol':
             start = 1
@@ -385,7 +389,7 @@ class TransformHtml(HTMLParser):
                     if val.startswith(('https://', 'http://', 'mailto:', 'ftp:')):
                         pass # nothing to check
                     elif '#' in val:
-                        pg, tgt = val.split('#', 2)
+                        pg, tgt = val.split('#', 1)
                         if pg and pg not in VALID_PAGES or '#' in tgt:
                             st.bad_hashtags.add(val)
                         elif tgt in ('', 'opt', 'dopt'):
@@ -456,7 +460,7 @@ class TransformHtml(HTMLParser):
             add_to_txt = NORM_FONT[0]
         elif tag == 'em' or  tag == 'i':
             if st.want_manpage:
-                tag = 'u' # Change it into underline to be more like the man page
+                tag = 'u' # Change it into underline to be more like the manpage
                 add_to_txt = NORM_FONT[0]
         elif tag == 'ol' or tag == 'ul':
             if st.list_state.pop() == 'dl':
@@ -474,7 +478,7 @@ class TransformHtml(HTMLParser):
                 find = 'href="' + st.a_href + '"'
                 for j in range(len(st.html_out)-1, 0, -1):
                     if find in st.html_out[j]:
-                        pg, tgt = st.a_href.split('#', 2)
+                        pg, tgt = st.a_href.split('#', 1)
                         derived = txt2target(atxt, tgt)
                         if pg == '':
                             if derived in st.latest_targets:
@@ -605,12 +609,12 @@ def die(*msg):
 
 
 if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description="Output html and (optionally) nroff for markdown pages.", add_help=False)
+    parser = argparse.ArgumentParser(description="Convert markdown into html and (optionally) nroff. Each input filename must have a .md suffix, which is changed to .html for the output filename. If the input filename ends with .num.md (e.g. foo.1.md) then a nroff file is also output with the input filename's .md suffix removed (e.g. foo.1).", add_help=False)
     parser.add_argument('--test', action='store_true', help="Just test the parsing without outputting any files.")
-    parser.add_argument('--dest', metavar='DIR', help="Put files into DIR instead of the current directory.")
+    parser.add_argument('--dest', metavar='DIR', help="Create files in DIR instead of the current directory.")
     parser.add_argument('--debug', '-D', action='count', default=0, help='Output copious info on the html parsing. Repeat for even more.')
     parser.add_argument("--help", "-h", action="help", help="Output this help message and exit.")
-    parser.add_argument("mdfiles", nargs='+', help="The source .md files to convert.")
+    parser.add_argument("mdfiles", metavar='FILE.md', nargs='+', help="One or more .md files to convert.")
     args = parser.parse_args()
 
     try:

mkgitver

@@ -1,14 +1,16 @@
 #!/bin/sh
 
 srcdir=`dirname $0`
-gitver=`git describe --abbrev=8 2>/dev/null`
 
 if [ ! -f git-version.h ]; then
     touch git-version.h
 fi
 
-case "$gitver" in
-    *.*)
+if test -d "$srcdir/.git" || test -f "$srcdir/.git"; then
+    gitver=`git describe --abbrev=8 2>/dev/null`
+    # NOTE: I'm avoiding "|" in sed since I'm not sure if sed -r is portable and "\|" fails on some OSes.
+    verchk=`echo "$gitver-" | sed -n '/^v3\.[0-9][0-9]*\.[0-9][0-9]*\(pre[0-9]*\)*-/p'`
+    if [ -n "$verchk" ]; then
 	echo "#define RSYNC_GITVER \"$gitver\"" >git-version.h.new
 	if ! diff git-version.h.new git-version.h >/dev/null; then
 	    echo "Updating git-version.h"
@@ -16,5 +18,5 @@ case "$gitver" in
 	else
 	    rm git-version.h.new
 	fi
-	;;
-esac
+    fi
+fi

options.c

@@ -27,6 +27,8 @@
 extern int module_id;
 extern int local_server;
 extern int sanitize_paths;
+extern int trust_sender_args;
+extern int trust_sender_filter;
 extern unsigned int module_dirlen;
 extern filter_rule_list filter_list;
 extern filter_rule_list daemon_filter_list;
@@ -47,6 +49,7 @@ int append_mode = 0;
 int keep_dirlinks = 0;
 int copy_dirlinks = 0;
 int copy_links = 0;
+int copy_devices = 0;
 int write_devices = 0;
 int preserve_links = 0;
 int preserve_hard_links = 0;
@@ -63,6 +66,7 @@ int preserve_atimes = 0;
 int preserve_crtimes = 0;
 int omit_dir_times = 0;
 int omit_link_times = 0;
+int trust_sender = 0;
 int update_only = 0;
 int open_noatime = 0;
 int cvs_exclude = 0;
@@ -109,11 +113,20 @@ int mkpath_dest_arg = 0;
 int allow_inc_recurse = 1;
 int xfer_dirs = -1;
 int am_daemon = 0;
+/* Set after a successful per-module chroot ("use chroot = yes") in
+ * clientserver.c. NOT set for the daemon-level "daemon chroot = /X"
+ * chroot: that confines path resolution to /X, but module paths
+ * /X/modA, /X/modB, etc. are not chroot boundaries, so the per-module
+ * symlink-race defenses (secure_relative_open() / do_*_at() in
+ * syscall.c, gated by `am_daemon && !am_chrooted`) must still fire
+ * even when the daemon is inside a daemon chroot. */
+int am_chrooted = 0;
 int connect_timeout = 0;
 int keep_partial = 0;
 int safe_symlinks = 0;
 int copy_unsafe_links = 0;
 int munge_symlinks = 0;
+int use_secure_symlinks = 0;
 int size_only = 0;
 int daemon_bwlimit = 0;
 int bwlimit = 0;
@@ -292,7 +305,7 @@ static struct output_struct debug_words[COUNT_DEBUG+1] = {
 	DEBUG_WORD(DELTASUM, W_SND|W_REC, "Debug delta-transfer checksumming (levels 1-4)"),
 	DEBUG_WORD(DUP, W_REC, "Debug weeding of duplicate names"),
 	DEBUG_WORD(EXIT, W_CLI|W_SRV, "Debug exit events (levels 1-3)"),
-	DEBUG_WORD(FILTER, W_SND|W_REC, "Debug filter actions (levels 1-2)"),
+	DEBUG_WORD(FILTER, W_SND|W_REC, "Debug filter actions (levels 1-3)"),
 	DEBUG_WORD(FLIST, W_SND|W_REC, "Debug file-list operations (levels 1-4)"),
 	DEBUG_WORD(FUZZY, W_REC, "Debug fuzzy scoring (levels 1-2)"),
 	DEBUG_WORD(GENR, W_REC, "Debug generator functions"),
@@ -656,6 +669,7 @@ static struct poptOption long_options[] = {
   {"no-D",             0,  POPT_ARG_NONE,   0, OPT_NO_D, 0, 0 },
   {"devices",          0,  POPT_ARG_VAL,    &preserve_devices, 1, 0, 0 },
   {"no-devices",       0,  POPT_ARG_VAL,    &preserve_devices, 0, 0, 0 },
+  {"copy-devices",     0,  POPT_ARG_NONE,   &copy_devices, 0, 0, 0 },
   {"write-devices",    0,  POPT_ARG_VAL,    &write_devices, 1, 0, 0 },
   {"no-write-devices", 0,  POPT_ARG_VAL,    &write_devices, 0, 0, 0 },
   {"specials",         0,  POPT_ARG_VAL,    &preserve_specials, 1, 0, 0 },
@@ -783,9 +797,12 @@ static struct poptOption long_options[] = {
   {"no-from0",         0,  POPT_ARG_VAL,    &eol_nulls, 0, 0, 0},
   {"old-args",         0,  POPT_ARG_NONE,   0, OPT_OLD_ARGS, 0, 0},
   {"no-old-args",      0,  POPT_ARG_VAL,    &old_style_args, 0, 0, 0},
-  {"protect-args",    's', POPT_ARG_VAL,    &protect_args, 1, 0, 0},
+  {"secluded-args",   's', POPT_ARG_VAL,    &protect_args, 1, 0, 0},
+  {"no-secluded-args", 0,  POPT_ARG_VAL,    &protect_args, 0, 0, 0},
+  {"protect-args",     0,  POPT_ARG_VAL,    &protect_args, 1, 0, 0},
   {"no-protect-args",  0,  POPT_ARG_VAL,    &protect_args, 0, 0, 0},
   {"no-s",             0,  POPT_ARG_VAL,    &protect_args, 0, 0, 0},
+  {"trust-sender",     0,  POPT_ARG_VAL,    &trust_sender, 1, 0, 0},
   {"numeric-ids",      0,  POPT_ARG_VAL,    &numeric_ids, 1, 0, 0 },
   {"no-numeric-ids",   0,  POPT_ARG_VAL,    &numeric_ids, 0, 0, 0 },
   {"usermap",          0,  POPT_ARG_STRING, 0, OPT_USERMAP, 0, 0 },
@@ -944,11 +961,12 @@ static void set_refuse_options(void)
 		if (!am_daemon
 		 || op->shortName == 'e' /* Required for compatibility flags */
 		 || op->shortName == '0' /* --from0 just modifies --files-from, so refuse that instead (or not) */
-		 || op->shortName == 's' /* --protect-args is always OK */
+		 || op->shortName == 's' /* --secluded-args is always OK */
 		 || op->shortName == 'n' /* --dry-run is always OK */
 		 || strcmp("iconv", longName) == 0
 		 || strcmp("no-iconv", longName) == 0
 		 || strcmp("checksum-seed", longName) == 0
+		 || strcmp("copy-devices", longName) == 0 /* disable wild-match (it gets refused below) */
 		 || strcmp("write-devices", longName) == 0 /* disable wild-match (it gets refused below) */
 		 || strcmp("log-format", longName) == 0 /* aka out-format (NOT log-file-format) */
 		 || strcmp("sender", longName) == 0
@@ -960,6 +978,7 @@ static void set_refuse_options(void)
 	assert(list_end != NULL);
 
 	if (am_daemon) { /* Refused by default, but can be accepted via a negated exact match. */
+		parse_one_refuse_match(0, "copy-devices", list_end);
 		parse_one_refuse_match(0, "write-devices", list_end);
 	}
 
@@ -1145,7 +1164,7 @@ static time_t parse_time(const char *arg)
 {
 	const char *cp;
 	time_t val, now = time(NULL);
-	struct tm t, *today = localtime(&now);
+	struct tm t, tmp, *today = localtime_r(&now, &tmp);
 	int in_date, old_mday, n;
 
 	memset(&t, 0, sizeof t);
@@ -1362,6 +1381,10 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	if (pc)
 		poptFreeContext(pc);
 	pc = poptGetContext(RSYNC_NAME, argc, argv, long_options, 0);
+	if (pc == NULL) {
+		strlcpy(err_buf, "poptGetContext returned NULL\n", sizeof err_buf);
+		return 0;
+	}
 	if (!am_server) {
 		poptReadDefaultConfig(pc, 0);
 		popt_unalias(pc, "--daemon");
@@ -1916,7 +1939,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		saw_stderr_opt = 1;
 
 	if (version_opt_cnt) {
-		print_rsync_version(FINFO);
+		print_rsync_version(version_opt_cnt > 1 && !am_server ? FNONE : FINFO);
 		exit_cleanup(0);
 	}
 
@@ -1941,7 +1964,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	} else if (old_style_args) {
 		if (protect_args > 0) {
 			snprintf(err_buf, sizeof err_buf,
-				 "--protect-args conflicts with --old-args.\n");
+				 "--secluded-args conflicts with --old-args.\n");
 			return 0;
 		}
 		protect_args = 0;
@@ -1953,7 +1976,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		else if ((arg = getenv("RSYNC_PROTECT_ARGS")) != NULL && *arg)
 			protect_args = atoi(arg) ? 1 : 0;
 		else {
-#ifdef RSYNC_USE_PROTECTED_ARGS
+#ifdef RSYNC_USE_SECLUDED_ARGS
 			protect_args = 1;
 #else
 			protect_args = 0;
@@ -2461,6 +2484,11 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		}
 	}
 
+	if (trust_sender || am_server || read_batch)
+		trust_sender_args = trust_sender_filter = 1;
+	else if (old_style_args || filesfrom_host != NULL)
+		trust_sender_args = 1;
+
 	am_starting_up = 0;
 
 	return 1;
@@ -2488,12 +2516,19 @@ char *safe_arg(const char *opt, const char *arg)
 	BOOL is_filename_arg = !opt;
 	char *escapes = is_filename_arg ? SHELL_CHARS : WILD_CHARS SHELL_CHARS;
 	BOOL escape_leading_dash = is_filename_arg && *arg == '-';
+	BOOL escape_leading_tilde = 0;
 	int len1 = opt && *opt ? strlen(opt) + 1 : 0;
 	int len2 = strlen(arg);
 	int extras = escape_leading_dash ? 2 : 0;
 	char *ret;
 	if (!protect_args && old_style_args < 2 && (!old_style_args || (!is_filename_arg && opt != SPLIT_ARG_WHEN_OLD))) {
 		const char *f;
+		if (!trust_sender_args && *arg == '~'
+		 && ((relative_paths && !strstr(arg, "/./"))
+		  || !strchr(arg, '/'))) {
+			extras++;
+			escape_leading_tilde = 1;
+		}
 		for (f = arg; *f; f++) {
 			if (strchr(escapes, *f))
 				extras++;
@@ -2516,8 +2551,13 @@ char *safe_arg(const char *opt, const char *arg)
 	else {
 		const char *f = arg;
 		char *t = ret + len1;
+		if (escape_leading_tilde)
+			*t++ = '\\';
 		while (*f) {
-			if (strchr(escapes, *f))
+                        if (*f == '\\') {
+				if (!is_filename_arg || !strchr(WILD_CHARS, f[1]))
+					*t++ = '\\';
+			} else if (strchr(escapes, *f))
 				*t++ = '\\';
 			*t++ = *f++;
 		}
@@ -2917,6 +2957,9 @@ void server_options(char **args, int *argc_p)
 	else if (remove_source_files)
 		args[ac++] = "--remove-sent-files";
 
+	if (copy_devices && !am_sender)
+		args[ac++] = "--copy-devices";
+
 	if (preallocate_files && am_sender)
 		args[ac++] = "--preallocate";
 

packaging/cull-options

@@ -27,6 +27,7 @@ long_opts = { # These include some extra long-args that BackupPC uses:
         'recursive': 0,
         'stderr': 1,
         'times': 0,
+        'copy-devices': -1,
         'write-devices': -1,
         }
 

packaging/lsb/rsync.spec

@@ -1,9 +1,9 @@
 Summary: A fast, versatile, remote (and local) file-copying tool
 Name: rsync
-Version: 3.2.4
-%define fullversion %{version}pre3
-Release: 0.1.pre3
-%define srcdir src-previews
+Version: 3.2.7
+%define fullversion %{version}
+Release: 1
+%define srcdir src
 Group: Applications/Internet
 License: GPL
 Source0: https://rsync.samba.org/ftp/rsync/%{srcdir}/rsync-%{fullversion}.tar.gz
@@ -79,8 +79,8 @@ rm -rf $RPM_BUILD_ROOT
 %dir /etc/rsync-ssl/certs
 
 %changelog
-* Tue Jan 18 2022 Wayne Davison <wayne@opencoder.net>
-Released 3.2.4pre3.
+* Thu Oct 20 2022 Wayne Davison <wayne@opencoder.net>
+Released 3.2.7.
 
 * Fri Mar 21 2008 Wayne Davison <wayne@opencoder.net>
 Added installation of /etc/xinetd.d/rsync file and some commented-out

packaging/openssl-rsync.cnf

@@ -0,0 +1,18 @@
+# This config file can be used with rsync to enable legacy digests
+# (such as MD4) by using the OPENSSL_CONF environment variable.
+# See rsync's configure --with-openssl-conf=/path/name option.
+
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+legacy = legacy_sect
+
+[default_sect]
+activate = 1
+
+[legacy_sect]
+activate = 1

packaging/pkglib.py

@@ -32,7 +32,7 @@ def _tweak_opts(cmd, opts, **maybe_set_args):
     opts = opts.copy()
     _maybe_set(opts, **maybe_set_args)
 
-    if type(cmd) == str:
+    if isinstance(cmd, str):
         _maybe_set(opts, shell=True)
 
     want_raw = opts.pop('raw', False)
@@ -176,7 +176,7 @@ def mandate_gensend_hook():
         print('Creating hook file:', hook)
         cmd_chk(['./rsync', '-a', 'packaging/pre-push', hook])
     else:
-        ct = cmd_txt(['fgrep', 'make gensend', hook], discard='output')
+        ct = cmd_txt(['grep', 'make gensend', hook], discard='output')
         if ct.rc:
             die('Please add a "make gensend" into your', hook, 'script.')
 

packaging/release-rsync

@@ -105,6 +105,8 @@ def main():
         if not re.match(r'^del', ans, flags=re.I):
             die("Aborted")
         cmd_chk(['git', 'tag', '-d', v_ver])
+        if os.path.isdir('patches/.git'):
+            cmd_chk(f"cd patches && git tag -d '{v_ver}'")
 
     version = re.sub(r'[-.]*pre[-.]*', 'pre', version)
     if 'pre' in version and not curversion.endswith('dev'):
@@ -193,7 +195,9 @@ About to:
         with open(fn, 'r', encoding='utf-8') as fh:
             old_txt = txt = fh.read()
         if fn == 'version.h':
-            txt = f'#define RSYNC_VERSION "{version}"\n'
+            x_re = re.compile(r'^(#define RSYNC_VERSION).*', re.M)
+            msg = f"Unable to update RSYNC_VERSION in {fn}"
+            txt = replace_or_die(x_re, r'\1 "%s"' % version, txt, msg)
         elif '.spec' in fn:
             for var, val in specvars.items():
                 x_re = re.compile(r'^%s .*' % re.escape(var), re.M)
@@ -230,7 +234,7 @@ About to:
     cmd_chk(['packaging/year-tweak'])
 
     print(dash_line)
-    cmd_run("git diff")
+    cmd_run("git diff".split())
 
     srctar_name = f"{rsync_ver}.tar.gz"
     pattar_name = f"rsync-patches-{version}.tar.gz"
@@ -245,20 +249,20 @@ About to:
 
 About to:
     - git commit all changes
-    - generate the manpages
+    - run a full build, ensuring that the manpages & configure.sh are up-to-date
     - merge the {args.master_branch} branch into the patch/{args.master_branch}/* branches
     - update the files in the "patches" dir and OPTIONALLY (if you type 'y') to
       run patch-update with the --make option (which opens a shell on error)
 """)
     ans = input("<Press Enter OR 'y' to continue> ")
 
-    s = cmd_run(['git', 'commit', '-a', '-m', f'Preparing for release of {version}'])
+    s = cmd_run(['git', 'commit', '-a', '-m', f'Preparing for release of {version} [buildall]'])
     if s.returncode:
         die('Aborting')
 
-    cmd_chk('make gen')
+    cmd_chk('touch configure.ac && packaging/smart-make && make gen')
 
-    print(f'Creating any missing patch branches.')
+    print('Creating any missing patch branches.')
     s = cmd_run(f'packaging/branch-from-patch --branch={args.master_branch} --add-missing')
     if s.returncode:
         die('Aborting')

packaging/systemd/rsync.service

@@ -7,6 +7,7 @@ Documentation=man:rsync(1) man:rsyncd.conf(5)
 [Service]
 ExecStart=/usr/bin/rsync --daemon --no-detach
 RestartSec=1
+Restart=on-failure
 
 # Citing README.md:
 #

popt/poptparse.c

@@ -36,9 +36,15 @@ int poptDupArgv(int argc, const char **argv,
     dst += (argc + 1) * sizeof(*argv);
 
     /*@-branchstate@*/
-    for (i = 0; i < argc; i++) {
-	argv2[i] = dst;
-	dst += strlcpy(dst, argv[i], nb) + 1;
+    {
+	char * const end_buf = (char *)argv2 + nb;
+	for (i = 0; i < argc; i++) {
+	    argv2[i] = dst;
+	    /* nb is the TOTAL buffer size, not the remaining bytes; use the
+	     * remaining bytes from dst to end_buf so glibc 2.39+ fortified
+	     * strlcpy doesn't trip __bos() and abort. */
+	    dst += strlcpy(dst, argv[i], end_buf - dst) + 1;
+	}
     }
     /*@=branchstate@*/
     argv2[argc] = NULL;

prepare-source

@@ -6,7 +6,7 @@
 #
 #   build     build the config files [the default w/no arg]
 #   fetch     fetch the latest dev autoconfig files
-#   fetchgen  fetch all the latest dev generated files (including man pages)
+#   fetchgen  fetch all the latest dev generated files (including manpages)
 #   fetchSRC  fetch the latest dev source files [NON-GENERATED FILES]
 #
 # The script stops after the first successful action.

receiver.c

@@ -56,7 +56,6 @@ extern int inplace;
 extern int inplace_partial;
 extern int allowed_lull;
 extern int delay_updates;
-extern int xfersum_type;
 extern BOOL want_progress_now;
 extern mode_t orig_umask;
 extern struct stats stats;
@@ -67,6 +66,11 @@ extern char sender_file_sum[MAX_DIGEST_LEN];
 extern struct file_list *cur_flist, *first_flist, *dir_flist;
 extern filter_rule_list daemon_filter_list;
 extern OFF_T preallocated_len;
+extern int fuzzy_basis;
+
+extern struct name_num_item *xfer_sum_nni;
+extern int xfer_sum_len;
+extern int use_secure_symlinks;
 
 static struct bitbag *delayed_bits = NULL;
 static int phase = 0, redoing = 0;
@@ -211,7 +215,12 @@ int open_tmpfile(char *fnametmp, const char *fname, struct file_struct *file)
 	 * access to ensure that there is no race condition.  They will be
 	 * correctly updated after the right owner and group info is set.
 	 * (Thanks to snabb@epipe.fi for pointing this out.) */
-	fd = do_mkstemp(fnametmp, (file->mode|added_perms) & INITACCESSPERMS);
+	/* When use_secure_symlinks is on (non-chroot daemon with munge_symlinks),
+	 * use secure_mkstemp to prevent symlink race attacks on parent directories. */
+	if (use_secure_symlinks)
+		fd = secure_mkstemp(fnametmp, (file->mode|added_perms) & INITACCESSPERMS);
+	else
+		fd = do_mkstemp(fnametmp, (file->mode|added_perms) & INITACCESSPERMS);
 
 #if 0
 	/* In most cases parent directories will already exist because their
@@ -240,7 +249,6 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 	static char file_sum1[MAX_DIGEST_LEN];
 	struct map_struct *mapbuf;
 	struct sum_struct sum;
-	int sum_len;
 	int32 len;
 	OFF_T total_size = F_LENGTH(file);
 	OFF_T offset = 0;
@@ -280,7 +288,7 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 	} else
 		mapbuf = NULL;
 
-	sum_init(xfersum_type, checksum_seed);
+	sum_init(xfer_sum_nni, checksum_seed);
 
 	if (append_mode > 0) {
 		OFF_T j;
@@ -310,7 +318,12 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 		}
 	}
 
-	while ((i = recv_token(f_in, &data)) != 0) {
+	while (1) {
+		data = NULL;
+		i = recv_token(f_in, &data);
+		if (i == 0)
+			break;
+
 		if (INFO_GTE(PROGRESS, 1))
 			show_progress(offset, total_size);
 
@@ -318,6 +331,10 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 			maybe_send_keepalive(time(NULL), MSK_ALLOW_FLUSH | MSK_ACTIVE_RECEIVER);
 
 		if (i > 0) {
+			if (!data) {
+				rprintf(FERROR, "Invalid literal token with no data [%s]\n", who_am_i());
+				exit_cleanup(RERR_PROTOCOL);
+			}
 			if (DEBUG_GTE(DELTASUM, 3)) {
 				rprintf(FINFO,"data recv %d at %s\n",
 					i, big_num(offset));
@@ -335,6 +352,11 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 		}
 
 		i = -(i+1);
+		if (i < 0 || i >= sum.count) {
+			rprintf(FERROR, "Invalid block index %d (count=%ld) [%s]\n",
+				i, (long)sum.count, who_am_i());
+			exit_cleanup(RERR_PROTOCOL);
+		}
 		offset2 = i * (OFF_T)sum.blength;
 		len = sum.blength;
 		if (i == (int)sum.count-1 && sum.remainder != 0)
@@ -393,7 +415,7 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 	if (INFO_GTE(PROGRESS, 1))
 		end_progress(total_size);
 
-	sum_len = sum_end(file_sum1);
+	sum_end(file_sum1);
 
 	if (do_fsync && fd != -1 && fsync(fd) != 0) {
 		rsyserr(FERROR, errno, "fsync failed on %s", full_fname(fname));
@@ -403,10 +425,10 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 	if (mapbuf)
 		unmap_file(mapbuf);
 
-	read_buf(f_in, sender_file_sum, sum_len);
+	read_buf(f_in, sender_file_sum, xfer_sum_len);
 	if (DEBUG_GTE(DELTASUM, 2))
 		rprintf(FINFO,"got file_sum\n");
-	if (fd != -1 && memcmp(file_sum1, sender_file_sum, sum_len) != 0)
+	if (fd != -1 && memcmp(file_sum1, sender_file_sum, xfer_sum_len) != 0)
 		return 0;
 	return 1;
 }
@@ -434,14 +456,13 @@ static void handle_delayed_updates(char *local_name)
 			}
 			/* We don't use robust_rename() here because the
 			 * partial-dir must be on the same drive. */
-			if (do_rename(partialptr, fname) < 0) {
+			if (do_rename_at(partialptr, fname) < 0) {
 				rsyserr(FERROR_XFER, errno,
 					"rename failed for %s (from %s)",
 					full_fname(fname), partialptr);
 			} else {
-				if (remove_source_files
-				 || (preserve_hard_links && F_IS_HLINKED(file)))
-					send_msg_int(MSG_SUCCESS, ndx);
+				if (remove_source_files || (preserve_hard_links && F_IS_HLINKED(file)))
+					send_msg_success(fname, ndx);
 				handle_partial_dir(partialptr, PDIR_DELETE);
 			}
 		}
@@ -451,7 +472,10 @@ static void handle_delayed_updates(char *local_name)
 static void no_batched_update(int ndx, BOOL is_redo)
 {
 	struct file_list *flist = flist_for_ndx(ndx, "no_batched_update");
-	struct file_struct *file = flist->files[ndx - flist->ndx_start];
+	struct file_struct *file;
+	if (ndx < flist->ndx_start)
+		exit_cleanup(RERR_PROTOCOL);
+	file = flist->files[ndx - flist->ndx_start];
 
 	rprintf(FERROR_XFER, "(No batched update for%s \"%s\")\n",
 		is_redo ? " resend of" : "", f_name(file, NULL));
@@ -551,6 +575,8 @@ int recv_files(int f_in, int f_out, char *local_name)
 	progress_init();
 
 	while (1) {
+		const char *basedir = NULL;
+
 		cleanup_disable();
 
 		/* This call also sets cur_flist. */
@@ -586,6 +612,8 @@ int recv_files(int f_in, int f_out, char *local_name)
 
 		if (ndx - cur_flist->ndx_start >= 0)
 			file = cur_flist->files[ndx - cur_flist->ndx_start];
+		else if (cur_flist->parent_ndx < 0)
+			exit_cleanup(RERR_PROTOCOL);
 		else
 			file = dir_flist->files[cur_flist->parent_ndx];
 		fname = local_name ? local_name : f_name(file, fbuf);
@@ -593,10 +621,13 @@ int recv_files(int f_in, int f_out, char *local_name)
 		if (DEBUG_GTE(RECV, 1))
 			rprintf(FINFO, "recv_files(%s)\n", fname);
 
-		if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')
-		 && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
-			rprintf(FERROR, "attempt to hack rsync failed.\n");
-			exit_cleanup(RERR_PROTOCOL);
+		if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')) {
+			int filt_flags = S_ISDIR(file->mode) ? NAME_IS_DIR : NAME_IS_FILE;
+			if (check_filter(&daemon_filter_list, FLOG, fname, filt_flags) < 0) {
+				rprintf(FERROR, "ERROR: rejecting file transfer request for daemon excluded file: %s\n",
+					fname);
+				exit_cleanup(RERR_PROTOCOL);
+			}
 		}
 
 #ifdef SUPPORT_XATTRS
@@ -695,7 +726,7 @@ int recv_files(int f_in, int f_out, char *local_name)
 			if (!am_server)
 				discard_receive_data(f_in, file);
 			if (inc_recurse)
-				send_msg_int(MSG_SUCCESS, ndx);
+				send_msg_success(fname, ndx);
 			continue;
 		}
 
@@ -713,28 +744,34 @@ int recv_files(int f_in, int f_out, char *local_name)
 				fnamecmp = get_backup_name(fname);
 				break;
 			case FNAMECMP_FUZZY:
+				if (fuzzy_basis == 0) {
+					rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname);
+					exit_cleanup(RERR_PROTOCOL);
+				}
 				if (file->dirname) {
-					pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
-					fnamecmp = fnamecmpbuf;
-				} else
-					fnamecmp = xname;
+					basedir = file->dirname;
+				}
+				fnamecmp = xname;
 				break;
 			default:
 				if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) {
 					fnamecmp_type -= FNAMECMP_FUZZY + 1;
 					if (file->dirname) {
-						stringjoin(fnamecmpbuf, sizeof fnamecmpbuf,
-							   basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL);
-					} else
-						pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname);
+						pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname);
+						basedir = fnamecmpbuf;
+					} else {
+						basedir = basis_dir[fnamecmp_type];
+					}
+					fnamecmp = xname;
 				} else if (fnamecmp_type >= basis_dir_cnt) {
 					rprintf(FERROR,
 						"invalid basis_dir index: %d.\n",
 						fnamecmp_type);
 					exit_cleanup(RERR_PROTOCOL);
-				} else
-					pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname);
-				fnamecmp = fnamecmpbuf;
+				} else {
+					basedir = basis_dir[fnamecmp_type];
+					fnamecmp = fname;
+				}
 				break;
 			}
 			if (!fnamecmp || (daemon_filter_list.head
@@ -757,25 +794,31 @@ int recv_files(int f_in, int f_out, char *local_name)
 		}
 
 		/* open the file */
-		fd1 = do_open(fnamecmp, O_RDONLY, 0);
+		fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
 
 		if (fd1 == -1 && protocol_version < 29) {
 			if (fnamecmp != fname) {
 				fnamecmp = fname;
 				fnamecmp_type = FNAMECMP_FNAME;
-				fd1 = do_open(fnamecmp, O_RDONLY, 0);
+				fd1 = do_open_nofollow(fnamecmp, O_RDONLY);
 			}
 
 			if (fd1 == -1 && basis_dir[0]) {
 				/* pre-29 allowed only one alternate basis */
-				pathjoin(fnamecmpbuf, sizeof fnamecmpbuf,
-					 basis_dir[0], fname);
-				fnamecmp = fnamecmpbuf;
+				basedir = basis_dir[0];
+				fnamecmp = fname;
 				fnamecmp_type = FNAMECMP_BASIS_DIR_LOW;
-				fd1 = do_open(fnamecmp, O_RDONLY, 0);
+				fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
 			}
 		}
 
+		if (basedir) {
+			// for the following code we need the full
+			// path name as a single string
+			pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp);
+			fnamecmp = fnamecmpbuf;
+		}
+
 		one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR;
 		updating_basis_or_equiv = one_inplace
 		    || (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP));
@@ -808,14 +851,16 @@ int recv_files(int f_in, int f_out, char *local_name)
 			continue;
 		}
 
-		if (fd1 != -1 && !(S_ISREG(st.st_mode) || (write_devices && IS_DEVICE(st.st_mode)))) {
+		if (write_devices && IS_DEVICE(st.st_mode)) {
+			if (fd1 != -1 && st.st_size == 0)
+				st.st_size = get_device_size(fd1, fname);
+			/* Mark the file entry as a device so that we don't try to truncate it later on. */
+			file->mode = S_IFBLK | (file->mode & ACCESSPERMS);
+		} else if (fd1 != -1 && !(S_ISREG(st.st_mode))) {
 			close(fd1);
 			fd1 = -1;
 		}
 
-		if (fd1 != -1 && IS_DEVICE(st.st_mode) && st.st_size == 0)
-			st.st_size = get_device_size(fd1, fname);
-
 		/* If we're not preserving permissions, change the file-list's
 		 * mode based on the local permissions and some heuristics. */
 		if (!preserve_perms) {
@@ -834,11 +879,21 @@ int recv_files(int f_in, int f_out, char *local_name)
 		/* We now check to see if we are writing the file "inplace" */
 		if (inplace || one_inplace)  {
 			fnametmp = one_inplace ? partialptr : fname;
-			fd2 = do_open(fnametmp, O_WRONLY|O_CREAT, 0600);
+			/* When use_secure_symlinks is on (non-chroot daemon),
+			 * use secure open to prevent symlink race attacks where an
+			 * attacker could switch a directory to a symlink between
+			 * path validation and file open. */
+			if (use_secure_symlinks)
+				fd2 = secure_relative_open(NULL, fnametmp, O_WRONLY|O_CREAT, 0600);
+			else
+				fd2 = do_open(fnametmp, O_WRONLY|O_CREAT, 0600);
 #ifdef linux
 			if (fd2 == -1 && errno == EACCES) {
 				/* Maybe the error was due to protected_regular setting? */
-				fd2 = do_open(fname, O_WRONLY, 0600);
+				if (use_secure_symlinks)
+					fd2 = secure_relative_open(NULL, fname, O_WRONLY, 0600);
+				else
+					fd2 = do_open(fname, O_WRONLY, 0600);
 			}
 #endif
 			if (fd2 == -1) {
@@ -890,7 +945,7 @@ int recv_files(int f_in, int f_out, char *local_name)
 				recv_ok = -1;
 			else if (fnamecmp == partialptr) {
 				if (!one_inplace)
-					do_unlink(partialptr);
+					do_unlink_at(partialptr);
 				handle_partial_dir(partialptr, PDIR_DELETE);
 			}
 		} else if (keep_partial && partialptr && (!one_inplace || delay_updates)) {
@@ -899,7 +954,7 @@ int recv_files(int f_in, int f_out, char *local_name)
 					"Unable to create partial-dir for %s -- discarding %s.\n",
 					local_name ? local_name : f_name(file, NULL),
 					recv_ok ? "completed file" : "partial file");
-				do_unlink(fnametmp);
+				do_unlink_at(fnametmp);
 				recv_ok = -1;
 			} else if (!finish_transfer(partialptr, fnametmp, fnamecmp, NULL,
 						    file, recv_ok, !partial_dir))
@@ -910,7 +965,7 @@ int recv_files(int f_in, int f_out, char *local_name)
 			} else
 				partialptr = NULL;
 		} else if (!one_inplace)
-			do_unlink(fnametmp);
+			do_unlink_at(fnametmp);
 
 		cleanup_disable();
 
@@ -921,9 +976,8 @@ int recv_files(int f_in, int f_out, char *local_name)
 		case 2:
 			break;
 		case 1:
-			if (remove_source_files || inc_recurse
-			 || (preserve_hard_links && F_IS_HLINKED(file)))
-				send_msg_int(MSG_SUCCESS, ndx);
+			if (remove_source_files || inc_recurse || (preserve_hard_links && F_IS_HLINKED(file)))
+				send_msg_success(fname, ndx);
 			break;
 		case 0: {
 			enum logcode msgtype = redoing ? FERROR_XFER : FWARNING;

rsync-ssl.1.md

@@ -8,7 +8,7 @@ rsync-ssl - a helper script for connecting to an ssl rsync daemon
 rsync-ssl [--type=SSL_TYPE] RSYNC_ARGS
 ```
 
-The online version of this man page (that includes cross-linking of topics)
+The online version of this manpage (that includes cross-linking of topics)
 is available at <https://download.samba.org/pub/rsync/rsync-ssl.1>.
 
 ## DESCRIPTION
@@ -94,6 +94,11 @@ The ssl helper scripts are affected by the following environment variables:
 
 >     rsync-ssl -aiv rsync://example.com:9874/mod/ dest
 
+## THE SERVER SIDE
+
+For help setting up an SSL/TLS supporting rsync, see the [instructions in
+rsyncd.conf](rsyncd.conf.5#SSL_TLS_Daemon_Setup).
+
 ## SEE ALSO
 
 [**rsync**(1)](rsync.1), [**rsyncd.conf**(5)](rsyncd.conf.5)
@@ -117,7 +122,7 @@ Please report bugs! See the web site at <https://rsync.samba.org/>.
 
 ## VERSION
 
-This man page is current for version @VERSION@ of rsync.
+This manpage is current for version @VERSION@ of rsync.
 
 ## CREDITS
 

rsync.c

@@ -437,7 +437,10 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr, cha
   */
 void free_sums(struct sum_struct *s)
 {
-	if (s->sums) free(s->sums);
+	if (s->sums) {
+		free(s->sums);
+		free(s->sum2_array);
+	}
 	free(s);
 }
 
@@ -544,7 +547,7 @@ int set_file_attrs(const char *fname, struct file_struct *file, stat_x *sxp,
 		if (am_root >= 0) {
 			uid_t uid = change_uid ? (uid_t)F_OWNER(file) : sxp->st.st_uid;
 			gid_t gid = change_gid ? (gid_t)F_GROUP(file) : sxp->st.st_gid;
-			if (do_lchown(fname, uid, gid) != 0) {
+			if (do_lchown_at(fname, uid, gid) != 0) {
 				/* We shouldn't have attempted to change uid
 				 * or gid unless have the privilege. */
 				rsyserr(FERROR_XFER, errno, "%s %s failed",
@@ -642,7 +645,7 @@ int set_file_attrs(const char *fname, struct file_struct *file, stat_x *sxp,
 #ifdef SUPPORT_ACLS
 	/* It's OK to call set_acl() now, even for a dir, as the generator
 	 * will enable owner-writability using chmod, if necessary.
-	 * 
+	 *
 	 * If set_acl() changes permission bits in the process of setting
 	 * an access ACL, it changes sxp->st.st_mode so we know whether we
 	 * need to chmod(). */
@@ -654,7 +657,7 @@ int set_file_attrs(const char *fname, struct file_struct *file, stat_x *sxp,
 
 #ifdef HAVE_CHMOD
 	if (!BITS_EQUAL(sxp->st.st_mode, new_mode, CHMOD_BITS)) {
-		int ret = am_root < 0 ? 0 : do_chmod(fname, new_mode);
+		int ret = am_root < 0 ? 0 : do_chmod_at(fname, new_mode);
 		if (ret < 0) {
 			rsyserr(FERROR_XFER, errno,
 				"failed to set permissions on %s",
@@ -755,7 +758,7 @@ int finish_transfer(const char *fname, const char *fnametmp,
 			full_fname(fnametmp), fname);
 		if (!partialptr || (ret == -2 && temp_copy_name)
 		 || robust_rename(fnametmp, partialptr, NULL, file->mode) < 0)
-			do_unlink(fnametmp);
+			do_unlink_at(fnametmp);
 		return 0;
 	}
 	if (ret == 0) {
@@ -771,7 +774,7 @@ int finish_transfer(const char *fname, const char *fnametmp,
 		       ok_to_set_time ? ATTRS_ACCURATE_TIME : ATTRS_SKIP_MTIME | ATTRS_SKIP_ATIME | ATTRS_SKIP_CRTIME);
 
 	if (temp_copy_name) {
-		if (do_rename(fnametmp, fname) < 0) {
+		if (do_rename_at(fnametmp, fname) < 0) {
 			rsyserr(FERROR_XFER, errno, "rename %s -> \"%s\"",
 				full_fname(fnametmp), fname);
 			return 0;

rsync.h

@@ -18,11 +18,6 @@
  * with this program; if not, visit the http://fsf.org website.
  */
 
-/* a non-zero CHAR_OFFSET makes the rolling sum stronger, but is
-   incompatible with older versions :-( */
-#define CHAR_OFFSET 0
-
-#ifndef AVX2_ASM /* do not include the rest of file for assembly */
 #define False 0
 #define True 1
 #define Unset (-1) /* Our BOOL values are always an int. */
@@ -43,6 +38,9 @@
 
 #define BACKUP_SUFFIX "~"
 
+/* a non-zero CHAR_OFFSET makes the rolling sum stronger, but is
+   incompatible with older versions :-( */
+#define CHAR_OFFSET 0
 
 /* These flags are only used during the flist transfer. */
 
@@ -86,6 +84,7 @@
 #define FLAG_DUPLICATE (1<<4)	/* sender */
 #define FLAG_MISSING_DIR (1<<4)	/* generator */
 #define FLAG_HLINKED (1<<5)	/* receiver/generator (checked on all types) */
+#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
 #define FLAG_HLINK_FIRST (1<<6)	/* receiver/generator (w/FLAG_HLINKED) */
 #define FLAG_IMPLIED_DIR (1<<6)	/* sender/receiver/generator (dirs only) */
 #define FLAG_HLINK_LAST (1<<7)	/* receiver/generator */
@@ -164,6 +163,29 @@
 /* For compatibility with older rsyncs */
 #define OLD_MAX_BLOCK_SIZE ((int32)1 << 29)
 
+/* Policy ceilings on attacker-controlled wire values. Picked well above any
+ * legitimate filesystem / protocol traffic but well below sizes that could
+ * cause integer overflow or DoS-grade allocations. See input_checking.txt.
+ *
+ * Note on MAX_WIRE_XATTR_DATALEN: xattr datum size is bounded only by the
+ * wire-format maximum (signed int32 varint, ~2GB). macOS resource forks
+ * are transferred as the com.apple.ResourceFork xattr and can legitimately
+ * be many GB; --max-alloc (default 1GB, configurable) is the real
+ * allocation cap. read_varint_size() still rejects negative values so a
+ * hostile peer cannot wrap to ~SIZE_MAX. */
+#define MAX_WIRE_XATTR_COUNT   65536
+#define MAX_WIRE_XATTR_NAMELEN 4096
+#define MAX_WIRE_XATTR_DATALEN ((int32)0x7fffffff)
+#define MAX_WIRE_ACL_COUNT     65536
+#define MAX_WIRE_NSEC          999999999
+/* MAX_WIRE_DEL_STAT is the per-category cap for read_del_stats() in main.c,
+ * which accumulates 5 wire-supplied counts into the int32 stats.deleted_files
+ * accumulator.  Capped at 2^28 so 5 * 2^28 = 1.34 GB stays under INT32_MAX
+ * (2.15 GB) with margin -- a higher cap (e.g. 2^30) would let a hostile peer
+ * supplying 3+ max-sized counts overflow the accumulator, which is signed-int
+ * UB.  2^28 is still well above any plausible real transfer's deletion count. */
+#define MAX_WIRE_DEL_STAT      ((int32)1 << 28)
+
 #define ROUND_UP_1024(siz) ((siz) & (1024-1) ? ((siz) | (1024-1)) + 1 : (siz))
 
 #define IOERR_GENERAL	(1<<0) /* For backward compatibility, this must == 1 */
@@ -340,6 +362,9 @@ enum delret {
 # endif
 # include <string.h>
 #endif
+#ifdef HAVE_BSD_STRING_H
+# include <bsd/string.h>
+#endif
 #ifdef HAVE_STRINGS_H
 # include <strings.h>
 #endif
@@ -365,16 +390,10 @@ enum delret {
 #include <sys/socket.h>
 #endif
 
-#ifdef TIME_WITH_SYS_TIME
-#include <sys/time.h>
-#include <time.h>
-#else
 #ifdef HAVE_SYS_TIME_H
 #include <sys/time.h>
-#else
+#endif
 #include <time.h>
-#endif
-#endif
 
 #ifdef HAVE_FCNTL_H
 #include <fcntl.h>
@@ -825,6 +844,7 @@ extern int uid_ndx;
 extern int gid_ndx;
 extern int acls_ndx;
 extern int xattrs_ndx;
+extern int file_sum_extra_cnt;
 
 #ifdef USE_FLEXIBLE_ARRAY
 #define FILE_STRUCT_LEN (sizeof (struct file_struct))
@@ -835,7 +855,7 @@ extern int xattrs_ndx;
 #define DEV_EXTRA_CNT 2
 #define DIRNODE_EXTRA_CNT 3
 #define EXTRA64_CNT ((sizeof (union file_extras64) + EXTRA_LEN - 1) / EXTRA_LEN)
-#define SUM_EXTRA_CNT ((MAX_DIGEST_LEN + EXTRA_LEN - 1) / EXTRA_LEN)
+#define SUM_EXTRA_CNT file_sum_extra_cnt
 
 #define REQ_EXTRA(f,ndx) ((union file_extras*)(f) - (ndx))
 #define OPT_EXTRA(f,bump) ((union file_extras*)(f) - file_extra_cnt - 1 - (bump))
@@ -962,12 +982,12 @@ struct sum_buf {
 	uint32 sum1;	        /**< simple checksum */
 	int32 chain;		/**< next hash-table collision */
 	short flags;		/**< flag bits */
-	char sum2[SUM_LENGTH];	/**< checksum  */
 };
 
 struct sum_struct {
 	OFF_T flength;		/**< total file length */
 	struct sum_buf *sums;	/**< points to info for each chunk */
+	char *sum2_array;	/**< checksums of length xfer_sum_len */
 	int32 count;		/**< how many chunks */
 	int32 blength;		/**< block_length */
 	int32 remainder;	/**< flength % block_length */
@@ -986,6 +1006,8 @@ struct map_struct {
 	int status;		/* first errno from read errors		*/
 };
 
+#define sum2_at(s, i)	((s)->sum2_array + ((size_t)(i) * xfer_sum_len))
+
 #define NAME_IS_FILE		(0)    /* filter name as a file */
 #define NAME_IS_DIR		(1<<0) /* filter name as a dir */
 #define NAME_IS_XATTR		(1<<2) /* filter name as an xattr */
@@ -1022,6 +1044,7 @@ typedef struct filter_struct {
 		int slash_cnt;
 		struct filter_list_struct *mergelist;
 	} u;
+	uchar elide;
 } filter_rule;
 
 typedef struct filter_list_struct {
@@ -1161,19 +1184,23 @@ typedef struct {
 #define NSTR_COMPRESS 1
 
 struct name_num_item {
-	int num;
-	const char *name, *main_name;
+	int num, flags;
+	const char *name;
+	struct name_num_item *main_nni;
 };
 
 struct name_num_obj {
 	const char *type;
-	const char *negotiated_name;
+	struct name_num_item *negotiated_nni;
 	uchar *saw;
 	int saw_len;
-	int negotiated_num;
-	struct name_num_item list[10]; /* we'll get a compile error/warning if this is ever too small */
+	struct name_num_item *list;
 };
 
+#ifdef EXTERNAL_ZLIB
+#define read_buf read_buf_
+#endif
+
 #ifndef __cplusplus
 #include "proto.h"
 #endif
@@ -1477,7 +1504,6 @@ const char *get_panic_action(void);
     fprintf(stderr, "%s in %s at line %d\n", msg, __FILE__, __LINE__); \
     exit_cleanup(RERR_UNSUPPORTED); \
 } while (0)
-#endif  /* AVX2_ASM */
 
 #ifdef HAVE_MALLINFO2
 #define MEM_ALLOC_INFO mallinfo2

rsyncd.conf.5.md

@@ -6,7 +6,7 @@ rsyncd.conf - configuration file for rsync in daemon mode
 
 rsyncd.conf
 
-The online version of this man page (that includes cross-linking of topics)
+The online version of this manpage (that includes cross-linking of topics)
 is available at <https://download.samba.org/pub/rsync/rsyncd.conf.5>.
 
 ## DESCRIPTION
@@ -98,9 +98,9 @@ a literal % into a value is to use %%.
 
 0.  `motd file`
 
-    This parameter allows you to specify a "message of the day" to display to
-    clients on each connect. This usually contains site information and any
-    legal notices. The default is no motd file.  This can be overridden by the
+    This parameter allows you to specify a "message of the day" (MOTD) to display
+    to clients on each connect. This usually contains site information and any
+    legal notices. The default is no MOTD file.  This can be overridden by the
     `--dparam=motdfile=FILE` command-line option when starting the daemon.
 
 0.  `pid file`
@@ -128,7 +128,7 @@ a literal % into a value is to use %%.
 
     This parameter can provide endless fun for people who like to tune their
     systems to the utmost degree. You can set all sorts of socket options which
-    may make transfers faster (or slower!). Read the man page for the
+    may make transfers faster (or slower!). Read the manpage for the
     **setsockopt()** system call for details on some of the options you may be
     able to set. By default no special socket options are set.  These settings
     can also be specified via the `--sockopts` command-line option.
@@ -164,6 +164,16 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
     available in this module.  You must specify this parameter for each module
     in `rsyncd.conf`.
 
+    If the value contains a "/./" element then the path will be divided at that
+    point into a chroot dir and an inner-chroot subdir.  If [`use chroot`](#)
+    is set to false, though, the extraneous dot dir is just cleaned out of the
+    path.  An example of this idiom is:
+
+    >     path = /var/rsync/./module1
+
+    This will (when chrooting) chroot to "/var/rsync" and set the inside-chroot
+    path to "/module1".
+
     You may base the path's value off of an environment variable by surrounding
     the variable name with percent signs.  You can even reference a variable
     that is set by rsync when the user connects.  For example, this would use
@@ -187,29 +197,47 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
     path, and of complicating the preservation of users and groups by name (see
     below).
 
-    As an additional safety feature, you can specify a dot-dir in the module's
-    "[path](#)" to indicate the point where the chroot should occur.  This allows
-    rsync to run in a chroot with a non-"/" path for the top of the transfer
-    hierarchy.  Doing this guards against unintended library loading (since
-    those absolute paths will not be inside the transfer hierarchy unless you
-    have used an unwise pathname), and lets you setup libraries for the chroot
-    that are outside of the transfer.  For example, specifying
-    "/var/rsync/./module1" will chroot to the "/var/rsync" directory and set
-    the inside-chroot path to "/module1".  If you had omitted the dot-dir, the
-    chroot would have used the whole path, and the inside-chroot path would
-    have been "/".
+    If `use chroot` is not set, it defaults to trying to enable a chroot but
+    allows the daemon to continue (after logging a warning) if it fails. The
+    one exception to this is when a module's [`path`](#) has a "/./" chroot
+    divider in it -- this causes an unset value to be treated as true for that
+    module.
 
-    When both "use chroot" and "[daemon chroot](#)" are false, OR the inside-chroot
-    path of "use chroot" is not "/", rsync will: (1) munge symlinks by default
-    for security reasons (see "[munge symlinks](#)" for a way to turn this off, but
-    only if you trust your users), (2) substitute leading slashes in absolute
-    paths with the module's path (so that options such as `--backup-dir`,
-    `--compare-dest`, etc. interpret an absolute path as rooted in the module's
-    "[path](#)" dir), and (3) trim ".." path elements from args if rsync believes
-    they would escape the module hierarchy.  The default for "use chroot" is
-    true, and is the safer choice (especially if the module is not read-only).
+    Prior to rsync 3.2.7, the default value was "true".  The new "unset"
+    default makes it easier to setup an rsync daemon as a non-root user or to
+    run a daemon on a system where chroot fails.  Explicitly setting the value
+    to "true" in rsyncd.conf will always require the chroot to succeed.
 
-    When this parameter is enabled *and* the "[name converter](#)" parameter is
+    It is also possible to specify a dot-dir in the module's "[path](#)" to
+    indicate that you want to chdir to the earlier part of the path and then
+    serve files from inside the latter part of the path (with sanitizing and
+    default symlink munging).  This can be useful if you need some library dirs
+    inside the chroot (typically for uid & gid lookups) but don't want to put
+    the lib dir into the top of the served path (even though they can be hidden
+    with an [`exclude`](#) directive).  However, a better choice for a modern
+    rsync setup is to use a [`name converter`](#)" and try to avoid inner lib
+    dirs altogether.  See also the [`daemon chroot`](#) parameter, which causes
+    rsync to chroot into its own chroot area before doing any path-related
+    chrooting.
+
+    If the daemon is serving the "/" dir (either directly or due to being
+    chrooted to the module's path), rsync does not do any path sanitizing or
+    (default) munging.
+
+    When it has to limit access to a particular subdir (either due to chroot
+    being disabled or having an inside-chroot path set), rsync will munge
+    symlinks (by default) and sanitize paths.  Those that dislike munged
+    symlinks (and really, really trust their users to not break out of the
+    subdir) can disable the symlink munging via the "[munge symlinks](#)"
+    parameter.
+
+    When rsync is sanitizing paths, it trims ".." path elements from args that
+    it believes would escape the module hierarchy. It also substitutes leading
+    slashes in absolute paths with the module's path (so that options such as
+    `--backup-dir` & `--compare-dest` interpret an absolute path as rooted in
+    the module's "[path](#)" dir).
+
+    When a chroot is in effect *and* the "[name converter](#)" parameter is
     *not* set, the "[numeric ids](#)" parameter will default to being enabled
     (disabling name lookups).  This means that if you manually setup
     name-lookup libraries in your chroot (instead of using a name converter)
@@ -716,7 +744,7 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
       addresses which match the masked IP address will be allowed in.
     - a hostname pattern using wildcards. If the hostname of the connecting IP
       (as determined by a reverse lookup) matches the wildcarded name (using
-      the same rules as normal unix filename matching), the client is allowed
+      the same rules as normal Unix filename matching), the client is allowed
       in.  This only works if "[reverse lookup](#)" is enabled (the default).
     - a hostname. A plain hostname is matched against the reverse DNS of the
       connecting IP (if "[reverse lookup](#)" is enabled), and/or the IP of the
@@ -894,7 +922,7 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
     >     refuse options = * !a !v !compress*
 
     Don't worry that the "`*`" will refuse certain vital options such as
-    `--dry-run`, `--server`, `--no-iconv`, `--protect-args`, etc. These
+    `--dry-run`, `--server`, `--no-iconv`, `--seclude-args`, etc. These
     important options are not matched by wild-card, so they must be overridden
     by their exact name.  For instance, if you're forcing iconv transfers you
     could use something like this:
@@ -933,9 +961,10 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
     If you are un-refusing the compress option, you may want to match
     "`!compress*`" if you also want to allow the `--compress-level` option.
 
-    Note that the "write-devices" option is refused by default, but can be
-    explicitly accepted with "`!write-devices`".  The options "log-file" and
-    "log-file-format" are forcibly refused and cannot be accepted.
+    Note that the "copy-devices" & "write-devices" options are refused by
+    default, but they can be explicitly accepted with "`!copy-devices`" and/or
+    "`!write-devices`".  The options "log-file" and "log-file-format" are
+    forcibly refused and cannot be accepted.
 
     Here are all the options that are not matched by wild-cards:
 
@@ -947,7 +976,7 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
       `--log-file-format`.
     - `--sender`: Use "[write only](#)" parameter instead of refusing this.
     - `--dry-run`, `-n`: Who would want to disable this?
-    - `--protect-args`, `-s`: This actually makes transfers safer.
+    - `--seclude-args`, `-s`: Is the oldest arg-protection method.
     - `--from0`, `-0`: Makes it easier to accept/refuse `--files-from` without
       affecting this helpful modifier.
     - `--iconv`: This is auto-disabled based on "[charset](#)" parameter.
@@ -1113,15 +1142,15 @@ SSL proxy.
 ## SSL/TLS Daemon Setup
 
 When setting up an rsync daemon for access via SSL/TLS, you will need to
-configure a proxy (such as haproxy or nginx) as the front-end that handles the
-encryption.
+configure a TCP proxy (such as haproxy or nginx) as the front-end that handles
+the encryption.
 
 - You should limit the access to the backend-rsyncd port to only allow the
   proxy to connect.  If it is on the same host as the proxy, then configuring
   it to only listen on localhost is a good idea.
-- You should consider turning on the `proxy protocol` parameter if your proxy
-  supports sending that information.  The examples below assume that this is
-  enabled.
+- You should consider turning on the `proxy protocol` rsync-daemon parameter if
+  your proxy supports sending that information.  The examples below assume that
+  this is enabled.
 
 An example haproxy setup is as follows:
 
@@ -1148,14 +1177,14 @@ An example nginx proxy setup is as follows:
 >        ssl_certificate_key /etc/letsencrypt/example.com/privkey.pem;
 >
 >        proxy_pass localhost:873;
->        proxy_protocol on; # Requires "proxy protocol = true"
+>        proxy_protocol on; # Requires rsyncd.conf "proxy protocol = true"
 >        proxy_timeout 1m;
 >        proxy_connect_timeout 5s;
 >    }
 > }
 > ```
 
-## EXAMPLES
+## DAEMON CONFIG EXAMPLES
 
 A simple rsyncd.conf file that allow anonymous rsync to a ftp area at
 `/home/ftp` would be:
@@ -1219,7 +1248,7 @@ Please report bugs! The rsync bug tracking system is online at
 
 ## VERSION
 
-This man page is current for version @VERSION@ of rsync.
+This manpage is current for version @VERSION@ of rsync.
 
 ## CREDITS
 
@@ -1236,8 +1265,9 @@ Thanks to Karsten Thygesen for his many suggestions and documentation!
 
 ## AUTHOR
 
-Rsync was written by Andrew Tridgell and Paul Mackerras.  Many people have
-later contributed to it.
+Rsync was originally written by Andrew Tridgell and Paul Mackerras.  Many
+people have later contributed to it. It is currently maintained by Wayne
+Davison.
 
 Mailing lists for support and development are available at
 <https://lists.samba.org/>.

sender.c

@@ -25,11 +25,13 @@
 extern int do_xfers;
 extern int am_server;
 extern int am_daemon;
+extern int local_server;
 extern int inc_recurse;
 extern int log_before_transfer;
 extern int stdout_format_has_i;
 extern int logfile_format_has_i;
 extern int want_xattr_optim;
+extern int xfer_sum_len;
 extern int csum_length;
 extern int append_mode;
 extern int copy_links;
@@ -37,6 +39,7 @@ extern int io_error;
 extern int flist_eof;
 extern int whole_file;
 extern int allowed_lull;
+extern int copy_devices;
 extern int preserve_xattrs;
 extern int protocol_version;
 extern int remove_source_files;
@@ -45,11 +48,14 @@ extern int make_backups;
 extern int inplace;
 extern int inplace_partial;
 extern int batch_fd;
+extern int use_secure_symlinks;
+extern char *module_dir;
 extern int write_batch;
 extern int file_old_total;
 extern BOOL want_progress_now;
 extern struct stats stats;
 extern struct file_list *cur_flist, *first_flist, *dir_flist;
+extern char num_dev_ino_buf[4 + 8 + 8];
 
 BOOL extra_flist_sending_enabled;
 
@@ -91,10 +97,11 @@ static struct sum_struct *receive_sums(int f)
 		return(s);
 
 	s->sums = new_array(struct sum_buf, s->count);
+	s->sum2_array = new_array(char, (size_t)s->count * xfer_sum_len);
 
 	for (i = 0; i < s->count; i++) {
 		s->sums[i].sum1 = read_int(f);
-		read_buf(f, s->sums[i].sum2, s->s2length);
+		read_buf(f, sum2_at(s, i), s->s2length);
 
 		s->sums[i].offset = offset;
 		s->sums[i].flags = 0;
@@ -133,6 +140,8 @@ void successful_send(int ndx)
 		return;
 
 	flist = flist_for_ndx(ndx, "successful_send");
+	if (ndx < flist->ndx_start)
+		exit_cleanup(RERR_PROTOCOL);
 	file = flist->files[ndx - flist->ndx_start];
 	if (!change_pathname(file, NULL, 0))
 		return;
@@ -143,6 +152,13 @@ void successful_send(int ndx)
 		goto failed;
 	}
 
+	if (local_server
+	 && (int64)st.st_dev == IVAL64(num_dev_ino_buf, 4)
+	 && (int64)st.st_ino == IVAL64(num_dev_ino_buf, 4 + 8)) {
+		rprintf(FERROR_XFER, "ERROR: Skipping sender remove of destination file: %s\n", fname);
+		return;
+	}
+
 	if (st.st_size != F_LENGTH(file) || st.st_mtime != file->modtime
 #ifdef ST_MTIME_NSEC
 	 || (NSEC_BUMP(file) && (uint32)st.ST_MTIME_NSEC != F_MOD_NSEC(file))
@@ -250,6 +266,8 @@ void send_files(int f_in, int f_out)
 
 		if (ndx - cur_flist->ndx_start >= 0)
 			file = cur_flist->files[ndx - cur_flist->ndx_start];
+		else if (cur_flist->parent_ndx < 0)
+			exit_cleanup(RERR_PROTOCOL);
 		else
 			file = dir_flist->files[cur_flist->parent_ndx];
 		if (F_PATHNAME(file)) {
@@ -338,7 +356,25 @@ void send_files(int f_in, int f_out)
 			exit_cleanup(RERR_PROTOCOL);
 		}
 
-		fd = do_open(fname, O_RDONLY, 0);
+		if (use_secure_symlinks) {
+			/* Open from module root to prevent TOCTOU race where
+			 * change_pathname's chdir follows a directory symlink.
+			 * Reconstruct the full path relative to module_dir
+			 * from F_PATHNAME (path) and f_name (fname). */
+			char secure_path[MAXPATHLEN];
+			int slen = snprintf(secure_path, sizeof secure_path, "%s%s%s", path, slash, fname);
+			if (slen >= (int)sizeof secure_path) {
+				io_error |= IOERR_GENERAL;
+				rprintf(FERROR_XFER, "path too long: %s%s%s\n", path, slash, fname);
+				free_sums(s);
+				if (protocol_version >= 30)
+					send_msg_int(MSG_NO_SEND, ndx);
+				continue;
+			}
+			fd = secure_relative_open(module_dir, secure_path, O_RDONLY, 0);
+		} else {
+			fd = do_open_checklinks(fname);
+		}
 		if (fd == -1) {
 			if (errno == ENOENT) {
 				enum logcode c = am_daemon && protocol_version < 28 ? FERROR : FWARNING;
@@ -366,6 +402,15 @@ void send_files(int f_in, int f_out)
 			exit_cleanup(RERR_FILEIO);
 		}
 
+		if (IS_DEVICE(st.st_mode)) {
+			if (!copy_devices) {
+				rprintf(FERROR, "attempt to copy device contents without --copy-devices\n");
+				exit_cleanup(RERR_PROTOCOL);
+			}
+			if (st.st_size == 0)
+				st.st_size = get_device_size(fd, fname);
+		}
+
 		if (append_mode > 0 && st.st_size < F_LENGTH(file)) {
 			rprintf(FWARNING, "skipped diminished file: %s\n",
 				full_fname(fname));

simd-checksum-avx2.S

@@ -1,15 +1,21 @@
+#include "config.h"
+
+#ifdef USE_ROLL_ASM /* { */
+
+#define CHAR_OFFSET 0 /* Keep this the same as rsync.h, which isn't likely to change. */
+
 #ifdef __APPLE__
-#define get_checksum1_avx2  _get_checksum1_avx2
+#define get_checksum1_avx2_asm  _get_checksum1_avx2_asm
 #endif
 
 .intel_syntax noprefix
 .text
 
 	.p2align 5
-	.globl get_checksum1_avx2
+	.globl get_checksum1_avx2_asm
 
 # rdi=*buf, esi=len, edx=i, rcx= *ps1, r8= *ps2
-get_checksum1_avx2:
+get_checksum1_avx2_asm:
 	vmovd	xmm6,[rcx] # load *ps1
 	lea	eax, [rsi-128] # at least 128 bytes to process?
 	cmp	edx, eax
@@ -167,3 +173,5 @@ get_checksum1_avx2:
 	.byte 3
 	.byte 2
 	.byte 1
+
+#endif /* } USE_ROLL_ASM */

simd-checksum-x86_64.cpp

@@ -51,12 +51,12 @@
  * GCC 4.x are not supported to ease configure.ac logic.
  */
 
-#ifdef __x86_64__
-#ifdef __cplusplus
+#ifdef __x86_64__ /* { */
+#ifdef __cplusplus /* { */
 
 #include "rsync.h"
 
-#ifdef HAVE_SIMD
+#ifdef USE_ROLL_SIMD /* { */
 
 #include <immintrin.h>
 
@@ -85,6 +85,9 @@ typedef long long __m256i_u __attribute__((__vector_size__(32), __may_alias__, _
 #define SSE2_HADDS_EPI16(a, b) _mm_adds_epi16(SSE2_INTERLEAVE_EVEN_EPI16(a, b), SSE2_INTERLEAVE_ODD_EPI16(a, b))
 #define SSE2_MADDUBS_EPI16(a, b) _mm_adds_epi16(SSE2_MULU_EVEN_EPI8(a, b), SSE2_MULU_ODD_EPI8(a, b))
 
+#ifndef USE_ROLL_ASM
+__attribute__ ((target("default"))) MVSTATIC int32 get_checksum1_avx2_64(schar* buf, int32 len, int32 i, uint32* ps1, uint32* ps2) { return i; }
+#endif
 __attribute__ ((target("default"))) MVSTATIC int32 get_checksum1_ssse3_32(schar* buf, int32 len, int32 i, uint32* ps1, uint32* ps2) { return i; }
 __attribute__ ((target("default"))) MVSTATIC int32 get_checksum1_sse2_32(schar* buf, int32 len, int32 i, uint32* ps1, uint32* ps2) { return i; }
 
@@ -245,7 +248,7 @@ __attribute__ ((target("sse2"))) MVSTATIC int32 get_checksum1_sse2_32(schar* buf
 
             // (4*buf[i] + 3*buf[i+1]), (2*buf[i+2], buf[i+3]), ... 2*[int16*8]
             __m128i mul_const = _mm_set1_epi32(4 + (3 << 8) + (2 << 16) + (1 << 24));
-            __m128i mul_add16_1 = SSE2_MADDUBS_EPI16(mul_const, in8_1);
+            __m128i mul_add16_1 = SSE2_MADDUBS_EPI16(mul_const, in8_1);
             __m128i mul_add16_2 = SSE2_MADDUBS_EPI16(mul_const, in8_2);
 
             // s2 += 32*s1
@@ -310,7 +313,126 @@ __attribute__ ((target("sse2"))) MVSTATIC int32 get_checksum1_sse2_32(schar* buf
     return i;
 }
 
-extern "C" __attribute__ ((target("avx2"))) int32 get_checksum1_avx2(schar* buf, int32 len, int32 i, uint32* ps1, uint32* ps2);
+#ifdef USE_ROLL_ASM /* { */
+
+extern "C" __attribute__ ((target("avx2"))) int32 get_checksum1_avx2_asm(schar* buf, int32 len, int32 i, uint32* ps1, uint32* ps2);
+
+#else /* } { */
+
+/*
+  AVX2 loop per 64 bytes:
+    int16 t1[16];
+    int16 t2[16];
+    for (int j = 0; j < 16; j++) {
+      t1[j] = buf[j*4 + i] + buf[j*4 + i+1] + buf[j*4 + i+2] + buf[j*4 + i+3];
+      t2[j] = 4*buf[j*4 + i] + 3*buf[j*4 + i+1] + 2*buf[j*4 + i+2] + buf[j*4 + i+3];
+    }
+    s2 += 64*s1 + (uint32)(
+              60*t1[0] + 56*t1[1] + 52*t1[2] + 48*t1[3] + 44*t1[4] + 40*t1[5] + 36*t1[6] + 32*t1[7] + 28*t1[8] + 24*t1[9] + 20*t1[10] + 16*t1[11] + 12*t1[12] + 8*t1[13] + 4*t1[14] +
+              t2[0] + t2[1] + t2[2] + t2[3] + t2[4] + t2[5] + t2[6] + t2[7] + t2[8] + t2[9] + t2[10] + t2[11] + t2[12] + t2[13] + t2[14] + t2[15]
+          ) + 2080*CHAR_OFFSET;
+    s1 += (uint32)(t1[0] + t1[1] + t1[2] + t1[3] + t1[4] + t1[5] + t1[6] + t1[7] + t1[8] + t1[9] + t1[10] + t1[11] + t1[12] + t1[13] + t1[14] + t1[15]) +
+          64*CHAR_OFFSET;
+ */
+
+__attribute__ ((target("avx2"))) MVSTATIC int32 get_checksum1_avx2_64(schar* buf, int32 len, int32 i, uint32* ps1, uint32* ps2)
+{
+    if (len > 64) {
+
+        uint32 x[4] = {0};
+        __m128i ss1 = _mm_cvtsi32_si128(*ps1);
+        __m128i ss2 = _mm_cvtsi32_si128(*ps2);
+
+        const char mul_t1_buf[16] = {60, 56, 52, 48, 44, 40, 36, 32, 28, 24, 20, 16, 12, 8, 4, 0};
+	__m128i tmp = _mm_load_si128((__m128i*) mul_t1_buf);
+        __m256i mul_t1 = _mm256_cvtepu8_epi16(tmp);
+	__m256i mul_const = _mm256_broadcastd_epi32(_mm_cvtsi32_si128(4 | (3 << 8) | (2 << 16) | (1 << 24)));
+        __m256i mul_one = _mm256_set1_epi8(1);
+
+        for (; i < (len-64); i+=64) {
+            // Load ... 4*[int8*16]
+            __m256i in8_1, in8_2;
+	    __m128i in8_1_low, in8_2_low, in8_1_high, in8_2_high;
+	    in8_1_low = _mm_loadu_si128((__m128i_u*)&buf[i]);
+	    in8_2_low = _mm_loadu_si128((__m128i_u*)&buf[i+16]);
+	    in8_1_high = _mm_loadu_si128((__m128i_u*)&buf[i+32]);
+	    in8_2_high = _mm_loadu_si128((__m128i_u*)&buf[i+48]);
+	    in8_1 = _mm256_inserti128_si256(_mm256_castsi128_si256(in8_1_low), in8_1_high,1);
+	    in8_2 = _mm256_inserti128_si256(_mm256_castsi128_si256(in8_2_low), in8_2_high,1);
+
+            // (1*buf[i] + 1*buf[i+1]), (1*buf[i+2], 1*buf[i+3]), ... 2*[int16*8]
+            // Fastest, even though multiply by 1
+            __m256i add16_1 = _mm256_maddubs_epi16(mul_one, in8_1);
+            __m256i add16_2 = _mm256_maddubs_epi16(mul_one, in8_2);
+
+            // (4*buf[i] + 3*buf[i+1]), (2*buf[i+2], buf[i+3]), ... 2*[int16*8]
+            __m256i mul_add16_1 = _mm256_maddubs_epi16(mul_const, in8_1);
+            __m256i mul_add16_2 = _mm256_maddubs_epi16(mul_const, in8_2);
+
+            // s2 += 64*s1
+            ss2 = _mm_add_epi32(ss2, _mm_slli_epi32(ss1, 6));
+
+            // [sum(t1[0]..t1[7]), X, X, X] [int32*4]; faster than multiple _mm_hadds_epi16
+            __m256i sum_add32 = _mm256_add_epi16(add16_1, add16_2);
+            sum_add32 = _mm256_add_epi16(sum_add32, _mm256_srli_epi32(sum_add32, 16));
+            sum_add32 = _mm256_add_epi16(sum_add32, _mm256_srli_si256(sum_add32, 4));
+            sum_add32 = _mm256_add_epi16(sum_add32, _mm256_srli_si256(sum_add32, 8));
+
+            // [sum(t2[0]..t2[7]), X, X, X] [int32*4]; faster than multiple _mm_hadds_epi16
+            __m256i sum_mul_add32 = _mm256_add_epi16(mul_add16_1, mul_add16_2);
+            sum_mul_add32 = _mm256_add_epi16(sum_mul_add32, _mm256_srli_epi32(sum_mul_add32, 16));
+            sum_mul_add32 = _mm256_add_epi16(sum_mul_add32, _mm256_srli_si256(sum_mul_add32, 4));
+            sum_mul_add32 = _mm256_add_epi16(sum_mul_add32, _mm256_srli_si256(sum_mul_add32, 8));
+
+            // s1 += t1[0] + t1[1] + t1[2] + t1[3] + t1[4] + t1[5] + t1[6] + t1[7]
+	    __m128i sum_add32_hi = _mm256_extracti128_si256(sum_add32, 0x1);
+            ss1 = _mm_add_epi32(ss1, _mm256_castsi256_si128(sum_add32));
+            ss1 = _mm_add_epi32(ss1, sum_add32_hi);
+
+            // s2 += t2[0] + t2[1] + t2[2] + t2[3] + t2[4] + t2[5] + t2[6] + t2[7]
+	    __m128i sum_mul_add32_hi = _mm256_extracti128_si256(sum_mul_add32, 0x1);
+            ss2 = _mm_add_epi32(ss2, _mm256_castsi256_si128(sum_mul_add32));
+            ss2 = _mm_add_epi32(ss2, sum_mul_add32_hi);
+
+            // [t1[0] + t1[1], t1[2] + t1[3] ...] [int16*8]
+            // We could've combined this with generating sum_add32 above and
+            // save an instruction but benchmarking shows that as being slower
+            __m256i add16 = _mm256_hadds_epi16(add16_1, add16_2);
+
+            // [t1[0], t1[1], ...] -> [t1[0]*28 + t1[1]*24, ...] [int32*4]
+            __m256i mul32 = _mm256_madd_epi16(add16, mul_t1);
+
+            // [sum(mul32), X, X, X] [int32*4]; faster than multiple _mm_hadd_epi32
+            mul32 = _mm256_add_epi32(mul32, _mm256_srli_si256(mul32, 4));
+            mul32 = _mm256_add_epi32(mul32, _mm256_srli_si256(mul32, 8));
+	    // prefetch 2 cacheline ahead
+            _mm_prefetch(&buf[i + 160], _MM_HINT_T0);
+
+            // s2 += 28*t1[0] + 24*t1[1] + 20*t1[2] + 16*t1[3] + 12*t1[4] + 8*t1[5] + 4*t1[6]
+	    __m128i mul32_hi = _mm256_extracti128_si256(mul32, 0x1);
+            ss2 = _mm_add_epi32(ss2, _mm256_castsi256_si128(mul32));
+            ss2 = _mm_add_epi32(ss2, mul32_hi);
+
+#if CHAR_OFFSET != 0
+            // s1 += 32*CHAR_OFFSET
+            __m128i char_offset_multiplier = _mm_set1_epi32(32 * CHAR_OFFSET);
+            ss1 = _mm_add_epi32(ss1, char_offset_multiplier);
+
+            // s2 += 528*CHAR_OFFSET
+            char_offset_multiplier = _mm_set1_epi32(528 * CHAR_OFFSET);
+            ss2 = _mm_add_epi32(ss2, char_offset_multiplier);
+#endif
+        }
+
+        _mm_store_si128((__m128i_u*)x, ss1);
+        *ps1 = x[0];
+        _mm_store_si128((__m128i_u*)x, ss2);
+        *ps2 = x[0];
+    }
+    return i;
+}
+
+#endif /* } !USE_ROLL_ASM */
 
 static int32 get_checksum1_default_1(schar* buf, int32 len, int32 i, uint32* ps1, uint32* ps2)
 {
@@ -338,7 +460,11 @@ static inline uint32 get_checksum1_cpp(char *buf1, int32 len)
     uint32 s2 = 0;
 
     // multiples of 64 bytes using AVX2 (if available)
-    i = get_checksum1_avx2((schar*)buf1, len, i, &s1, &s2);
+#ifdef USE_ROLL_ASM
+    i = get_checksum1_avx2_asm((schar*)buf1, len, i, &s1, &s2);
+#else
+    i = get_checksum1_avx2_64((schar*)buf1, len, i, &s1, &s2);
+#endif
 
     // multiples of 32 bytes using SSSE3 (if available)
     i = get_checksum1_ssse3_32((schar*)buf1, len, i, &s1, &s2);
@@ -407,7 +533,11 @@ int main() {
     benchmark("Raw-C", get_checksum1_default_1, (schar*)buf, BLOCK_LEN);
     benchmark("SSE2", get_checksum1_sse2_32, (schar*)buf, BLOCK_LEN);
     benchmark("SSSE3", get_checksum1_ssse3_32, (schar*)buf, BLOCK_LEN);
-    benchmark("AVX2", get_checksum1_avx2, (schar*)buf, BLOCK_LEN);
+#ifdef USE_ROLL_ASM
+    benchmark("AVX2-ASM", get_checksum1_avx2_asm, (schar*)buf, BLOCK_LEN);
+#else
+    benchmark("AVX2", get_checksum1_avx2_64, (schar*)buf, BLOCK_LEN);
+#endif
 
     free(buf);
     return 0;
@@ -417,6 +547,118 @@ int main() {
 #pragma clang optimize on
 #endif /* BENCHMARK_SIMD_CHECKSUM1 */
 
-#endif /* HAVE_SIMD */
-#endif /* __cplusplus */
-#endif /* __x86_64__ */
+#ifdef TEST_SIMD_CHECKSUM1
+
+static uint32 checksum_via_default(char *buf, int32 len)
+{
+    uint32 s1 = 0, s2 = 0;
+    get_checksum1_default_1((schar*)buf, len, 0, &s1, &s2);
+    return (s1 & 0xffff) + (s2 << 16);
+}
+
+static uint32 checksum_via_sse2(char *buf, int32 len)
+{
+    int32 i;
+    uint32 s1 = 0, s2 = 0;
+    i = get_checksum1_sse2_32((schar*)buf, len, 0, &s1, &s2);
+    get_checksum1_default_1((schar*)buf, len, i, &s1, &s2);
+    return (s1 & 0xffff) + (s2 << 16);
+}
+
+static uint32 checksum_via_ssse3(char *buf, int32 len)
+{
+    int32 i;
+    uint32 s1 = 0, s2 = 0;
+    i = get_checksum1_ssse3_32((schar*)buf, len, 0, &s1, &s2);
+    get_checksum1_default_1((schar*)buf, len, i, &s1, &s2);
+    return (s1 & 0xffff) + (s2 << 16);
+}
+
+static uint32 checksum_via_avx2(char *buf, int32 len)
+{
+    int32 i;
+    uint32 s1 = 0, s2 = 0;
+#ifdef USE_ROLL_ASM
+    i = get_checksum1_avx2_asm((schar*)buf, len, 0, &s1, &s2);
+#else
+    i = get_checksum1_avx2_64((schar*)buf, len, 0, &s1, &s2);
+#endif
+    get_checksum1_default_1((schar*)buf, len, i, &s1, &s2);
+    return (s1 & 0xffff) + (s2 << 16);
+}
+
+int main()
+{
+    static const int sizes[] = {1, 4, 31, 32, 33, 63, 64, 65, 128, 129, 256, 700, 1024, 4096, 65536};
+    int num_sizes = sizeof(sizes) / sizeof(sizes[0]);
+    int max_size = sizes[num_sizes - 1];
+    int failures = 0;
+
+    /* Allocate with extra bytes for unaligned test */
+    unsigned char *raw = (unsigned char *)malloc(max_size + 64 + 1);
+    if (!raw) {
+        fprintf(stderr, "malloc failed\n");
+        return 1;
+    }
+
+    /* Fill with deterministic data */
+    for (int i = 0; i < max_size + 64 + 1; i++)
+        raw[i] = (i + (i % 3) + (i % 11)) % 256;
+
+    /* Test with aligned buffer (64-byte aligned) */
+    unsigned char *aligned = raw + (64 - ((uintptr_t)raw % 64));
+
+    /* Test with unaligned buffer (+1 byte offset) */
+    unsigned char *unaligned = aligned + 1;
+
+    struct { const char *name; unsigned char *buf; } buffers[] = {
+        {"aligned", aligned},
+        {"unaligned", unaligned},
+    };
+
+    for (int b = 0; b < 2; b++) {
+        char *buf = (char *)buffers[b].buf;
+        const char *bname = buffers[b].name;
+
+        for (int s = 0; s < num_sizes; s++) {
+            int32 len = sizes[s];
+            uint32 ref = checksum_via_default(buf, len);
+            uint32 cs_sse2 = checksum_via_sse2(buf, len);
+            uint32 cs_ssse3 = checksum_via_ssse3(buf, len);
+            uint32 cs_avx2 = checksum_via_avx2(buf, len);
+            uint32 cs_auto = get_checksum1(buf, len);
+
+            if (cs_sse2 != ref) {
+                printf("FAIL %-9s size=%5d: SSE2=%08x ref=%08x\n", bname, len, cs_sse2, ref);
+                failures++;
+            }
+            if (cs_ssse3 != ref) {
+                printf("FAIL %-9s size=%5d: SSSE3=%08x ref=%08x\n", bname, len, cs_ssse3, ref);
+                failures++;
+            }
+            if (cs_avx2 != ref) {
+                printf("FAIL %-9s size=%5d: AVX2=%08x ref=%08x\n", bname, len, cs_avx2, ref);
+                failures++;
+            }
+            if (cs_auto != ref) {
+                printf("FAIL %-9s size=%5d: auto=%08x ref=%08x\n", bname, len, cs_auto, ref);
+                failures++;
+            }
+        }
+    }
+
+    free(raw);
+
+    if (failures) {
+        printf("%d checksum mismatches!\n", failures);
+        return 1;
+    }
+    printf("All SIMD checksum tests passed.\n");
+    return 0;
+}
+
+#endif /* TEST_SIMD_CHECKSUM1 */
+
+#endif /* } USE_ROLL_SIMD */
+#endif /* } __cplusplus */
+#endif /* } __x86_64__ */

socket.c

@@ -47,21 +47,23 @@ static struct sigaction sigact;
 
 static int sock_exec(const char *prog);
 
+#define PROXY_BUF_SIZE 1024
+
 /* Establish a proxy connection on an open socket to a web proxy by using the
  * CONNECT method.  If proxy_user and proxy_pass are not NULL, they are used to
  * authenticate to the proxy using the "Basic" proxy-authorization protocol. */
 static int establish_proxy_connection(int fd, char *host, int port, char *proxy_user, char *proxy_pass)
 {
-	char *cp, buffer[1024];
-	char *authhdr, authbuf[1024];
+	char *cp, buffer[PROXY_BUF_SIZE + 1];
+	char *authhdr, authbuf[PROXY_BUF_SIZE + 1];
 	int len;
 
 	if (proxy_user && proxy_pass) {
-		stringjoin(buffer, sizeof buffer,
+		stringjoin(buffer, PROXY_BUF_SIZE,
 			 proxy_user, ":", proxy_pass, NULL);
 		len = strlen(buffer);
 
-		if ((len*8 + 5) / 6 >= (int)sizeof authbuf - 3) {
+		if ((len*8 + 5) / 6 >= PROXY_BUF_SIZE - 3) {
 			rprintf(FERROR,
 				"authentication information is too long\n");
 			return -1;
@@ -74,14 +76,14 @@ static int establish_proxy_connection(int fd, char *host, int port, char *proxy_
 		authhdr = "";
 	}
 
-	len = snprintf(buffer, sizeof buffer, "CONNECT %s:%d HTTP/1.0%s%s\r\n\r\n", host, port, authhdr, authbuf);
-	assert(len > 0 && len < (int)sizeof buffer);
+	len = snprintf(buffer, PROXY_BUF_SIZE, "CONNECT %s:%d HTTP/1.0%s%s\r\n\r\n", host, port, authhdr, authbuf);
+	assert(len > 0 && len < PROXY_BUF_SIZE);
 	if (write(fd, buffer, len) != len) {
 		rsyserr(FERROR, errno, "failed to write to proxy");
 		return -1;
 	}
 
-	for (cp = buffer; cp < &buffer[sizeof buffer - 1]; cp++) {
+	for (cp = buffer; cp < &buffer[PROXY_BUF_SIZE - 1]; cp++) {
 		if (read(fd, cp, 1) != 1) {
 			rsyserr(FERROR, errno, "failed to read from proxy");
 			return -1;
@@ -90,11 +92,13 @@ static int establish_proxy_connection(int fd, char *host, int port, char *proxy_
 			break;
 	}
 
-	if (*cp != '\n')
-		cp++;
-	*cp-- = '\0';
-	if (*cp == '\r')
-		*cp = '\0';
+	if (cp == &buffer[PROXY_BUF_SIZE - 1]) {
+		rprintf(FERROR, "proxy response line too long\n");
+		return -1;
+	}
+	*cp = '\0';
+	if (cp > buffer && cp[-1] == '\r')
+		cp[-1] = '\0';
 	if (strncmp(buffer, "HTTP/", 5) != 0) {
 		rprintf(FERROR, "bad response from proxy -- %s\n",
 			buffer);
@@ -110,7 +114,7 @@ static int establish_proxy_connection(int fd, char *host, int port, char *proxy_
 	}
 	/* throw away the rest of the HTTP header */
 	while (1) {
-		for (cp = buffer; cp < &buffer[sizeof buffer - 1]; cp++) {
+		for (cp = buffer; cp < &buffer[PROXY_BUF_SIZE]; cp++) {
 			if (read(fd, cp, 1) != 1) {
 				rsyserr(FERROR, errno,
 					"failed to read from proxy");

support/git-set-file-times

@@ -38,7 +38,7 @@ def main():
                 print_line(fn, mtime, mtime)
             ls.discard(fn)
 
-    cmd = git + 'log -r --name-only --no-color --pretty=raw --no-renames -z'.split()
+    cmd = git + 'log -r --name-only --format=%x00commit%x20%H%n%x00commit_time%x20%ct%n --no-renames -z'.split()
     if args.tree:
         cmd.append(args.tree)
     cmd += ['--'] + args.files
@@ -46,7 +46,7 @@ def main():
     proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, encoding='utf-8')
     for line in proc.stdout:
         line = line.strip()
-        m = re.match(r'^committer .*? (\d+) [-+]\d+$', line)
+        m = re.match(r'^\0commit_time (\d+)$', line)
         if m:
             commit_time = int(m[1])
         elif NULL_COMMIT_RE.search(line):

support/json-rsync-version

@@ -0,0 +1,93 @@
+#!/usr/bin/python3
+
+import sys, argparse, subprocess, json
+
+TWEAK_NAME = {
+        'asm': 'asm_roll',
+        'ASM': 'asm_roll',
+        'hardlink_special': 'hardlink_specials',
+        'protect_args': 'secluded_args',
+        'protected_args': 'secluded_args',
+        'SIMD': 'SIMD_roll',
+    }
+
+MOVE_OPTIM = set('asm_roll SIMD_roll'.split())
+
+def main():
+    if not args.rsync or args.rsync == '-':
+        ver_out = sys.stdin.read().strip()
+    else:
+        ver_out = subprocess.check_output([args.rsync, '--version', '--version'], encoding='utf-8').strip()
+    if ver_out.startswith('{'):
+        print(ver_out)
+        return
+    info = { }
+    misplaced_optims = { }
+    for line in ver_out.splitlines():
+        if line.startswith('rsync '):
+            prog, vstr, ver, pstr, vstr2, proto = line.split()
+            info['program'] = prog
+            if ver.startswith('v'):
+                ver = ver[1:]
+            info[vstr] = ver
+            if '.' not in proto:
+                proto += '.0'
+            else:
+                proto = proto.replace('.PR', '.')
+            info[pstr] = proto
+        elif line.startswith('Copyright '):
+            info['copyright'] = line[10:]
+        elif line.startswith('Web site: '):
+            info['url'] = line[10:]
+        elif line.startswith('  '):
+            if not saw_comma and ',' in line:
+                saw_comma = True
+                info[sect_name] = { }
+            if saw_comma:
+                for x in line.strip(' ,').split(', '):
+                    if ' ' in x:
+                        val, var = x.split(' ', 1)
+                        if val == 'no':
+                            val = False
+                        elif val.endswith('-bit'):
+                            var = var[:-1] + '_bits'
+                            val = int(val.split('-')[0])
+                    else:
+                        var = x
+                        val = True
+                    var = var.replace(' ', '_').replace('-', '_')
+                    if var in TWEAK_NAME:
+                        var = TWEAK_NAME[var]
+                    if sect_name[0] != 'o' and var in MOVE_OPTIM:
+                        misplaced_optims[var] = val
+                    else:
+                        info[sect_name][var] = val
+            else:
+                info[sect_name] += [ x for x in line.split() if not x.startswith('(') ]
+        elif line == '':
+            break
+        else:
+            sect_name = line.strip(' :').replace(' ', '_').lower()
+            info[sect_name] = [ ]
+            saw_comma = False
+    for chk in 'capabilities optimizations'.split():
+        if chk not in info:
+            info[chk] = { }
+    if misplaced_optims:
+        info['optimizations'].update(misplaced_optims)
+    for chk in 'checksum_list compress_list daemon_auth_list'.split():
+        if chk not in info:
+            info[chk] = [ ]
+    info['license'] = 'GPLv3' if ver[0] == '3' else 'GPLv2'
+    info['caveat'] = 'rsync comes with ABSOLUTELY NO WARRANTY'
+    print(json.dumps(info))
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description="Output rsync's version data in JSON format, even if the rsync doesn't support a native json-output method.", add_help=False)
+    parser.add_argument('rsync', nargs='?', help="Specify an rsync command to run. Otherwise stdin is consumed.")
+    parser.add_argument("--help", "-h", action="help", help="Output this help message and exit.")
+    args = parser.parse_args()
+    main()
+
+# vim: sw=4 et

support/rrsync

@@ -47,6 +47,7 @@ long_opts = {
   'compress-choice': 1,
   'compress-level': 1,
   'copy-dest': 2,
+  'copy-devices': -1,
   'copy-unsafe-links': 0,
   'daemon': -1,
   'debug': 1,

support/rrsync.1.md

@@ -11,14 +11,20 @@ rrsync [-ro|-rw] [-munge] [-no-del] [-no-lock] DIR
 The single non-option argument specifies the restricted _DIR_ to use. It can be
 relative to the user's home directory or an absolute path.
 
-The online version of this man page (that includes cross-linking of topics)
+The online version of this manpage (that includes cross-linking of topics)
 is available at <https://download.samba.org/pub/rsync/rrsync.1>.
 
 ## DESCRIPTION
 
 A user's ssh login can be restricted to only allow the running of an rsync
-transfer in one of two easy ways: forcing the running of the rrsync script
-or forcing the running of an rsync daemon-over-ssh command.
+transfer in one of two easy ways:
+
+* forcing the running of the rrsync script
+* forcing the running of an rsync daemon-over-ssh command.
+
+Both of these setups use a feature of ssh that allows a command to be forced to
+run instead of an interactive shell.  However, if the user's home shell is bash,
+please see [BASH SECURITY ISSUE](#) for a potential issue.
 
 To use the rrsync script, edit the user's `~/.ssh/authorized_keys` file and add
 a prefix like one of the following (followed by a space) in front of each
@@ -47,13 +53,14 @@ ssh-key line that should be restricted:
 Then, ensure that the rsyncd.conf file is created with one or more module names
 with the appropriate path and option restrictions.  If rsync's
 [`--config`](rsync.1#dopt) option is omitted, it defaults to `~/rsyncd.conf`.
-See the `rsyncd.conf` man page for details of how to configure an rsync daemon.
+See the [**rsyncd.conf**(5)](rsyncd.conf.5) manpage for details of how to
+configure an rsync daemon.
 
 When using rrsync, there can be just one restricted dir per authorized key.  A
 daemon setup, on the other hand, allows multiple module names inside the config
 file, each one with its own path setting.
 
-The remainder of this man page is dedicated to using the rrsync script.
+The remainder of this manpage is dedicated to using the rrsync script.
 
 ## OPTIONS
 
@@ -104,6 +111,26 @@ overrides.
 The script (or a copy of it) can be manually edited if you want it to customize
 the option handling.
 
+## BASH SECURITY ISSUE
+
+If your users have bash set as their home shell, bash may try to be overly
+helpful and ensure that the user's login bashrc files are run prior to
+executing the forced command.  This can be a problem if the user can somehow
+update their home bashrc files, perhaps via the restricted copy, a shared home
+directory, or something similar.
+
+One simple way to avoid the issue is to switch the user to a simpler shell,
+such as dash.  When choosing the new home shell, make sure that you're not
+choosing bash in disguise, as it is unclear if it avoids the security issue.
+
+Another potential fix is to ensure that the user's home directory is not a
+shared mount and that they have no means of copying files outside of their
+restricted directories.  This may require you to force the enabling of symlink
+munging on the server side.
+
+A future version of openssh may have a change to the handling of forced
+commands that allows it to avoid using the user's home shell.
+
 ## EXAMPLES
 
 The `~/.ssh/authorized_keys` file might have lines in it like this:
@@ -119,11 +146,11 @@ The `~/.ssh/authorized_keys` file might have lines in it like this:
 
 ## SEE ALSO
 
-[**rsync**(1)](rsync.1)
+[**rsync**(1)](rsync.1), [**rsyncd.conf**(5)](rsyncd.conf.5)
 
 ## VERSION
 
-This man page is current for version @VERSION@ of rsync.
+This manpage is current for version @VERSION@ of rsync.
 
 ## CREDITS
 

t_chmod_secure.c

@@ -0,0 +1,117 @@
+/*
+ * Test harness for do_chmod_at(). Confirms the symlink-TOCTOU
+ * primitive used by CVE-2026-29518 (and its incomplete-fix follow-up
+ * for chmod) is closed by do_chmod_at(): a parent directory component
+ * being a symlink that escapes the receiver's confinement must be
+ * rejected, while a parent symlink that resolves *within* the tree
+ * must still work (so legitimate dir-symlinks are not regressed).
+ *
+ * Not linked into rsync itself.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include "rsync.h"
+
+#include <sys/stat.h>
+
+int dry_run = 0;
+int am_root = 0;
+int am_sender = 0;
+int read_only = 0;
+int list_only = 0;
+int copy_links = 0;
+int copy_unsafe_links = 0;
+extern int am_daemon, am_chrooted;
+
+short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG];
+
+static int errs = 0;
+
+static void check(const char *label, int actual_rc, int expect_ok,
+		  const char *path, mode_t expected_mode)
+{
+	struct stat st;
+	int got_ok = (actual_rc == 0);
+	if (got_ok != expect_ok) {
+		fprintf(stderr, "FAIL [%s]: rc=%d errno=%d (%s), expected %s\n",
+			label, actual_rc, errno, strerror(errno),
+			expect_ok ? "success" : "rejection");
+		errs++;
+		return;
+	}
+	if (path && stat(path, &st) < 0) {
+		fprintf(stderr, "FAIL [%s]: stat(%s) failed: %s\n",
+			label, path, strerror(errno));
+		errs++;
+		return;
+	}
+	if (path && (st.st_mode & 07777) != expected_mode) {
+		fprintf(stderr,
+			"FAIL [%s]: %s mode is 0%o, expected 0%o\n",
+			label, path, st.st_mode & 07777, expected_mode);
+		errs++;
+		return;
+	}
+	fprintf(stderr, "OK   [%s]\n", label);
+}
+
+int main(int argc, char **argv)
+{
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s <module-dir>\n", argv[0]);
+		return 2;
+	}
+	if (chdir(argv[1]) < 0) {
+		perror("chdir");
+		return 2;
+	}
+
+	/* Simulate the daemon-without-chroot deployment that do_chmod_at()
+	 * defends. With am_daemon=0 or am_chrooted=1 the wrapper falls
+	 * through to plain do_chmod() and the symlink-race test would be
+	 * meaningless. */
+	am_daemon = 1;
+	am_chrooted = 0;
+
+	/* Test layout (all inside the directory we just chdir'd to):
+	 *
+	 *     ./realdir/sentinel        -- regular target file
+	 *     ./inside_link -> realdir  -- legitimate dir-symlink within the tree
+	 *     ./escape_link -> ../trap  -- attacker swap, target outside tree
+	 *     ../trap/sentinel          -- the file the attacker wants to alter
+	 *
+	 * The shell wrapper that calls this helper has set both sentinel
+	 * files to mode 0600 so we have a clean baseline to compare.
+	 */
+
+	/* Scenario A: legitimate parent dir-symlink, chmod must succeed. */
+	int rc = do_chmod_at("inside_link/sentinel", 0640);
+	check("A: legit dir-symlink within tree",
+	      rc, 1, "realdir/sentinel", 0640);
+
+	/* Scenario B: parent symlink escapes the tree -- chmod must be
+	 * rejected and the outside file's mode must be unchanged. */
+	rc = do_chmod_at("escape_link/sentinel", 0666);
+	check("B: parent symlink escapes tree (the attack)",
+	      rc, 0, "../trap/sentinel", 0600);
+
+	/* Scenario C: plain relative path with no symlink components,
+	 * regression check that the safe wrapper doesn't break the
+	 * normal case. */
+	rc = do_chmod_at("realdir/sentinel", 0644);
+	check("C: plain relative path (regression check)",
+	      rc, 1, "realdir/sentinel", 0644);
+
+	/* Scenario D: top-level file, no parent directory component.
+	 * Falls back to do_chmod(); should succeed. */
+	rc = do_chmod_at("topfile", 0640);
+	check("D: top-level file, no parent component",
+	      rc, 1, "topfile", 0640);
+
+	if (errs)
+		fprintf(stderr, "%d failure(s)\n", errs);
+	return errs ? 1 : 0;
+}

t_secure_relpath.c

@@ -0,0 +1,151 @@
+/*
+ * Test harness for secure_relative_open()'s front-door input
+ * validation. Codex audit Finding 5 noted that the existing check
+ *
+ *     if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../"))
+ *
+ * catches "../foo" and "foo/../bar" but misses bare ".." (an actual
+ * one-level escape on platforms that fall back to the per-component
+ * walk), as well as "a/..", "foo/..", and any other form that
+ * decomposes to a ".." component when split on "/". The kernel-
+ * enforced RESOLVE_BENEATH (Linux 5.6+) and O_RESOLVE_BENEATH
+ * (FreeBSD 13+, macOS 15+) reject these in-kernel; the per-
+ * component fallback used on NetBSD, OpenBSD, Solaris, Cygwin and
+ * pre-5.6 Linux does not, so the validation must happen at the
+ * front door.
+ *
+ * This helper invokes secure_relative_open() with each suspect
+ * input and checks both the failure (rc < 0) and the errno
+ * (EINVAL means "rejected at the front door"). Pre-fix, the kernel
+ * may reject with a different errno (EXDEV from RESOLVE_BENEATH);
+ * post-fix, the front-door check catches every variant up front
+ * with a consistent EINVAL across platforms.
+ *
+ * Not linked into rsync itself.
+ */
+
+#include "rsync.h"
+
+#include <sys/stat.h>
+
+int dry_run = 0;
+int am_root = 0;
+int am_sender = 0;
+int read_only = 0;
+int list_only = 0;
+int copy_links = 0;
+int copy_unsafe_links = 0;
+extern int am_daemon, am_chrooted;
+
+short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG];
+
+static int errs = 0;
+
+static void check_relpath(const char *relpath)
+{
+	int fd;
+	int saved_errno;
+
+	errno = 0;
+	fd = secure_relative_open(NULL, relpath, O_RDONLY | O_DIRECTORY, 0);
+	saved_errno = errno;
+
+	if (fd >= 0) {
+		fprintf(stderr,
+			"FAIL [relpath=%-12s]: returned valid fd %d (escape) -- expected -1 EINVAL\n",
+			relpath, fd);
+		close(fd);
+		errs++;
+		return;
+	}
+
+	if (saved_errno != EINVAL) {
+		fprintf(stderr,
+			"FAIL [relpath=%-12s]: rejected but errno=%d (%s), expected EINVAL\n",
+			relpath, saved_errno, strerror(saved_errno));
+		errs++;
+		return;
+	}
+
+	fprintf(stderr, "OK   [relpath=%-12s]: rejected with EINVAL\n", relpath);
+}
+
+static void check_basedir(const char *basedir)
+{
+	int fd;
+	int saved_errno;
+
+	errno = 0;
+	fd = secure_relative_open(basedir, "ok", O_RDONLY | O_DIRECTORY, 0);
+	saved_errno = errno;
+
+	if (fd >= 0) {
+		fprintf(stderr,
+			"FAIL [basedir=%-12s]: returned valid fd %d -- expected -1 EINVAL\n",
+			basedir, fd);
+		close(fd);
+		errs++;
+		return;
+	}
+
+	if (saved_errno != EINVAL) {
+		fprintf(stderr,
+			"FAIL [basedir=%-12s]: rejected but errno=%d (%s), expected EINVAL\n",
+			basedir, saved_errno, strerror(saved_errno));
+		errs++;
+		return;
+	}
+
+	fprintf(stderr, "OK   [basedir=%-12s]: rejected with EINVAL\n", basedir);
+}
+
+int main(int argc, char **argv)
+{
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s <test-dir>\n", argv[0]);
+		return 2;
+	}
+	if (chdir(argv[1]) < 0) {
+		perror("chdir");
+		return 2;
+	}
+
+	/* secure_relative_open's daemon-only confinement protections only
+	 * fire when am_daemon && !am_chrooted (the threat model is the
+	 * daemon-no-chroot deployment), but the front-door input
+	 * validation runs unconditionally. We set am_daemon anyway so the
+	 * helper exercises the same code shape the receiver does. */
+	am_daemon = 1;
+	am_chrooted = 0;
+
+	mkdir("subdir", 0755);
+
+	/* Each of these relpaths must be rejected with EINVAL at the
+	 * secure_relative_open() front door. ".." is the actual one-level
+	 * escape; the others ("subdir/..", "subdir/../subdir") resolve
+	 * back to the start dir on systems that allow them, but we still
+	 * reject them as defence-in-depth: a path containing a ".." token
+	 * is suspicious and the caller should normalise before passing
+	 * it in. The "../foo" / "foo/../bar" / "/foo" / "/" cases are
+	 * regression checks for the existing checks. */
+	check_relpath("..");
+	check_relpath("../foo");
+	check_relpath("subdir/..");
+	check_relpath("subdir/../subdir");
+	check_relpath("foo/../bar");
+	check_relpath("/foo");
+	check_relpath("/");
+
+	/* Same checks against basedir (which the codex Finding 2 fix
+	 * routes through the same RESOLVE_BENEATH-equivalent). Absolute
+	 * basedirs are operator-trusted and intentionally not validated
+	 * here. */
+	check_basedir("..");
+	check_basedir("../subdir");
+	check_basedir("subdir/..");
+	check_basedir("foo/../bar");
+
+	if (errs)
+		fprintf(stderr, "\n%d failure(s)\n", errs);
+	return errs ? 1 : 0;
+}

t_stub.c

@@ -23,13 +23,14 @@
 
 int do_fsync = 0;
 int inplace = 0;
+int am_daemon = 0;
+int am_chrooted = 0;
 int modify_window = 0;
 int preallocate_files = 0;
 int protect_args = 0;
 int module_id = -1;
 int relative_paths = 0;
 int module_dirlen = 0;
-int preserve_mtimes = 0;
 int preserve_xattrs = 0;
 int preserve_perms = 0;
 int preserve_executability = 0;

t_unsafe.c

@@ -28,6 +28,9 @@ int am_root = 0;
 int am_sender = 1;
 int read_only = 0;
 int list_only = 0;
+int copy_links = 0;
+int copy_unsafe_links = 0;
+
 short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG];
 
 int

testsuite/00-hello.test

@@ -29,7 +29,7 @@ append_line test1
 checkit "$RSYNC -ai '$fromdir/' '$todir/'" "$fromdir" "$todir"
 
 copy_weird() {
-    checkit "$RSYNC $1 \"$2$fromdir/$weird_name/\" \"$3$todir/$weird_name\"" "$fromdir" "$todir"
+    checkit "$RSYNC $1 --rsync-path='$RSYNC' '$2$fromdir/$weird_name/' '$3$todir/$weird_name'" "$fromdir" "$todir"
 }
 
 append_line test2
@@ -47,7 +47,7 @@ copy_weird '-ais' '' 'lh:'
 echo test6
 
 touch "$fromdir/one" "$fromdir/two"
-(cd "$fromdir" && $RSYNC -ai --old-args lh:'one two' "$todir/")
+(cd "$fromdir" && $RSYNC -ai --old-args --rsync-path="$RSYNC" lh:'one two' "$todir/")
 if [ ! -f "$todir/one" ] || [ ! -f "$todir/two" ]; then
     test_fail "old-args copy of 'one two' failed"
 fi
@@ -55,7 +55,7 @@ fi
 echo test7
 
 rm "$todir/one" "$todir/two"
-(cd "$fromdir" && RSYNC_OLD_ARGS=1 $RSYNC -ai lh:'one two' "$todir/")
+(cd "$fromdir" && RSYNC_OLD_ARGS=1 $RSYNC -ai --rsync-path="$RSYNC" lh:'one two' "$todir/")
 
 # The script would have aborted on error, so getting here means we've won.
 exit 0

testsuite/acls-default.test

@@ -7,7 +7,7 @@
 
 . $suitedir/rsync.fns
 
-$RSYNC --version | grep "[, ] ACLs" >/dev/null || test_skipped "Rsync is configured without ACL support"
+$RSYNC -VV | grep '"ACLs": true' >/dev/null || test_skipped "Rsync is configured without ACL support"
 
 case "$setfacl_nodef" in
 true) test_skipped "I don't know how to use your setfacl command" ;;

testsuite/acls.test

@@ -7,7 +7,7 @@
 
 . $suitedir/rsync.fns
 
-$RSYNC --version | grep "[, ] ACLs" >/dev/null || test_skipped "Rsync is configured without ACL support"
+$RSYNC -VV | grep '"ACLs": true' >/dev/null || test_skipped "Rsync is configured without ACL support"
 
 makepath "$fromdir/foo"
 echo something >"$fromdir/file1"

testsuite/alt-dest-symlink-race.test

@@ -0,0 +1,113 @@
+#!/bin/sh
+
+# Copyright (C) 2026 by Andrew Tridgell
+
+# This program is distributable under the terms of the GNU GPL (see
+# COPYING).
+
+# Regression test for the basedir-confinement gap in
+# secure_relative_open(). The function opens basedir with a plain
+# openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY), without
+# RESOLVE_BENEATH or a per-component O_NOFOLLOW walk, so a parent
+# symlink ON basedir is followed unrestrictedly. RESOLVE_BENEATH is
+# then applied only to relpath, anchored at the wrong directory.
+#
+# The receiver's basis-file lookup at receiver.c passes
+# basis_dir[fnamecmp_type] (from --copy-dest / --link-dest /
+# --compare-dest -- all sender-controllable in daemon mode) as
+# basedir. A daemon-module attacker with write access can plant a
+# symlink at module/cd -> /outside, then run --link-dest=cd to
+# make the daemon's basis-file lookup resolve into /outside,
+# leaking the contents of daemon-readable files via the rsync
+# delta-rolling read-disclosure primitive.
+#
+# We detect the escape by leveraging --link-dest: when basis
+# matches source exactly (content + mtime + mode), --link-dest
+# hard-links the destination to the basis file. With the bug, the
+# destination ends up as a hard link to the outside-the-module
+# file (same inode). With the fix, no basis is found and the
+# destination is a fresh copy (different inode).
+#
+# The vulnerable code path is the same on every platform
+# (including the per-component fallback on systems without
+# RESOLVE_BENEATH), so this test is not platform-gated.
+
+. "$suitedir/rsync.fns"
+
+mod="$scratchdir/module"
+outside="$scratchdir/outside"
+src="$scratchdir/src"
+conf="$scratchdir/test-rsyncd.conf"
+
+rm -rf "$mod" "$outside" "$src"
+mkdir -p "$mod" "$outside" "$src"
+
+# Portable inode-number helper (GNU coreutils stat -c, BSD stat -f).
+file_inode() {
+    stat -c %i "$1" 2>/dev/null || stat -f %i "$1"
+}
+
+# Outside-the-module file an attacker would like the daemon to
+# treat as a basis.
+echo "OUTSIDE_SECRET_DATA" > "$outside/target.txt"
+chmod 0644 "$outside/target.txt"
+
+# The symlink trap planted in the module by the local attacker.
+ln -s "$outside" "$mod/cd"
+
+# Source file matches outside/target.txt exactly (content + mtime
+# + mode) so --link-dest will hard-link the destination to the
+# basis file iff the daemon's basedir lookup reaches outside/.
+echo "OUTSIDE_SECRET_DATA" > "$src/target.txt"
+touch -r "$outside/target.txt" "$src/target.txt"
+chmod 0644 "$src/target.txt"
+
+# When running as root the daemon would drop to "nobody" by
+# default, which can't write into the test scratch dir. Force the
+# daemon to keep our uid/gid in that case so the basis-link
+# transfer can actually create the destination file. (Non-root
+# can't specify uid/gid in rsyncd.conf -- comment them out then.)
+my_uid=`get_testuid`
+root_uid=`get_rootuid`
+root_gid=`get_rootgid`
+uid_setting="uid = $root_uid"
+gid_setting="gid = $root_gid"
+if test x"$my_uid" != x"$root_uid"; then
+    uid_setting="#$uid_setting"
+    gid_setting="#$gid_setting"
+fi
+
+cat > "$conf" <<EOF
+use chroot = no
+$uid_setting
+$gid_setting
+log file = $scratchdir/rsyncd.log
+[upload]
+    path = $mod
+    use chroot = no
+    read only = no
+EOF
+
+# Recursive --link-dest push directly into the module root. We
+# avoid pushing into a destination subdir because the receiver
+# would chdir into it before resolving --link-dest, making the
+# relative basedir "cd" resolve in the wrong CWD and masking the
+# bug. The realistic attack pushes into the module root (or the
+# attacker uses a basedir path that resolves correctly from
+# whichever subdir the receiver chdirs into).
+RSYNC_CONNECT_PROG="$RSYNC --config=$conf --daemon" \
+    $RSYNC -rtp --link-dest=cd "$src/" rsync://localhost/upload/ \
+    >/dev/null 2>&1 || true
+
+if [ ! -f "$mod/target.txt" ]; then
+    test_fail "destination file was not created -- daemon transfer failed before the test could observe the basedir behaviour"
+fi
+
+outside_inode=$(file_inode "$outside/target.txt")
+dst_inode=$(file_inode "$mod/target.txt")
+
+if [ "$outside_inode" = "$dst_inode" ]; then
+    test_fail "basedir-escape: --link-dest hard-linked module/target.txt to outside/target.txt (inode $outside_inode); daemon's basis-file lookup followed the parent symlink on the basedir"
+fi
+
+exit 0

testsuite/alt-dest.test

@@ -0,0 +1,68 @@
+#!/bin/sh
+
+# Copyright (C) 2004-2022 Wayne Davison
+
+# This program is distributable under the terms of the GNU GPL (see
+# COPYING).
+
+# Test rsync handling of --compare-dest and similar options.
+
+. "$suitedir/rsync.fns"
+
+alt1dir="$tmpdir/alt1"
+alt2dir="$tmpdir/alt2"
+alt3dir="$tmpdir/alt3"
+
+SSH="$scratchdir/src/support/lsh.sh"
+
+# Build some files/dirs/links to copy
+
+hands_setup
+
+# Setup the alt and chk dirs
+$RSYNC -av --include=text --include='*/' --exclude='*' "$fromdir/" "$alt1dir/"
+$RSYNC -av --include=etc-ltr-list --include='*/' --exclude='*' "$fromdir/" "$alt2dir/"
+
+# Create a side dir where there is a candidate destfile of the same name as a sourcefile
+echo "This is a test file" >"$fromdir/likely"
+
+mkdir "$alt3dir"
+echo "This is a test file" >"$alt3dir/likely"
+
+sleep 1
+touch "$fromdir/dir/text" "$fromdir/likely"
+
+$RSYNC -av --exclude=/text --exclude=etc-ltr-list "$fromdir/" "$chkdir/"
+
+# Let's do it!
+checkit "$RSYNC -avv --no-whole-file \
+    --compare-dest='$alt1dir' --compare-dest='$alt2dir' \
+    '$fromdir/' '$todir/'" "$chkdir" "$todir"
+
+rm -rf "$todir"
+checkit "$RSYNC -avv --no-whole-file \
+    --copy-dest='$alt1dir' --copy-dest='$alt2dir' \
+    '$fromdir/' '$todir/'" "$fromdir" "$todir"
+
+# Test that copy_file() works correctly with tmpfiles
+for maybe_inplace in '' --inplace; do
+    rm -rf "$todir"
+    checkit "$RSYNC -av $maybe_inplace --copy-dest='$alt3dir' \
+	'$fromdir/' '$todir/'" "$fromdir" "$todir"
+
+    for srchost in '' 'localhost:'; do
+	if [ -z "$srchost" ]; then
+	    desthost='localhost:'
+	else
+	    desthost=''
+	fi
+
+	rm -rf "$todir"
+	checkit "$RSYNC -ave '$SSH' --rsync-path='$RSYNC' $maybe_inplace \
+	    --copy-dest='$alt3dir' '$srchost$fromdir/' '$desthost$todir/'" \
+	    "$fromdir" "$todir"
+    done
+done
+
+# The script would have aborted on error, so getting here means we've won.
+exit 0

testsuite/atimes.test

@@ -4,7 +4,7 @@
 
 . "$suitedir/rsync.fns"
 
-$RSYNC --version | grep "[, ] atimes" >/dev/null || test_skipped "Rsync is configured without atimes support"
+$RSYNC -VV | grep '"atimes": true' >/dev/null || test_skipped "Rsync is configured without atimes support"
 
 mkdir "$fromdir"
 

testsuite/bare-do-open-symlink-race.test

@@ -0,0 +1,206 @@
+#!/bin/sh
+
+# Copyright (C) 2026 by Andrew Tridgell
+
+# This program is distributable under the terms of the GNU GPL (see
+# COPYING).
+
+# Regression test for codex audit Findings 3b and 3c:
+#
+#   3b: generator.c:1905 -- the in-place backup creation opens
+#       backupptr via bare do_open(O_WRONLY|O_CREAT|O_TRUNC|O_EXCL).
+#       With --backup-dir set to an attacker-planted parent symlink,
+#       the backup file is written outside the module under the
+#       daemon's authority.
+#
+#   3c-symlink: syscall.c:207 -- do_symlink_at falls through to bare
+#       do_symlink for am_root < 0 (fake-super), which then opens
+#       the destination path with bare open() (final-component
+#       fake-super file). A parent symlink on the destination path
+#       redirects the file creation outside the module.
+#
+#   3c-mknod: syscall.c:506 -- do_mknod_at falls through to bare
+#       do_mknod for am_root < 0, same path-based open(). For
+#       FIFOs/sockets/devices the bare path is also used.
+#
+# Each scenario plants a "secret" file outside the module at a
+# location the symlink trap points to. The check is that the
+# outside file's content and mode are unchanged after the attack
+# attempt.
+
+. "$suitedir/rsync.fns"
+
+# All three scenarios depend on receiver-side daemon code paths
+# that are only secured on platforms with a working
+# secure_relative_open. The chdir/chmod tests already skip the
+# same set; mirror that.
+case "$(uname -s)" in
+    SunOS|OpenBSD|NetBSD|CYGWIN*)
+        test_skipped "secure_relative_open relies on RESOLVE_BENEATH-equivalent kernel support not available on $(uname -s)"
+        ;;
+esac
+
+mod="$scratchdir/module"
+outside="$scratchdir/outside"
+src="$scratchdir/src"
+conf="$scratchdir/test-rsyncd.conf"
+
+# Portable inode-and-mode helpers.
+file_mode() {
+    stat -c %a "$1" 2>/dev/null || stat -f %Lp "$1"
+}
+
+setup() {
+    rm -rf "$mod" "$outside" "$src"
+    mkdir -p "$mod" "$outside" "$src"
+
+    echo "OUTSIDE_PROTECTED_DATA" > "$outside/target.txt"
+    chmod 0644 "$outside/target.txt"
+    outside_pristine="$scratchdir/outside-pristine.txt"
+    cp -p "$outside/target.txt" "$outside_pristine"
+
+    ln -s "$outside" "$mod/cd"
+}
+
+verify_outside_unchanged() {
+    label="$1"
+    mode=$(file_mode "$outside/target.txt")
+    case "$mode" in
+        644|0644) ;;
+        *) test_fail "$label: outside/target.txt mode changed from 644 to $mode" ;;
+    esac
+    if ! cmp -s "$outside/target.txt" "$outside_pristine"; then
+        test_fail "$label: outside/target.txt content changed -- daemon followed the cd symlink"
+    fi
+}
+
+verify_outside_unchanged_or_absent() {
+    label="$1"
+    target="$2"  # specific file under outside/ to check absence of
+    if [ -e "$outside/$target" ]; then
+        test_fail "$label: outside/$target was created -- daemon followed the cd symlink"
+    fi
+}
+
+# When running as root the daemon would drop to "nobody" by default
+# and fail to write into the test scratch dir. Force it to keep our
+# uid/gid in that case so the receiver actually runs the code paths
+# we want to test.
+my_uid=`get_testuid`
+root_uid=`get_rootuid`
+root_gid=`get_rootgid`
+uid_setting="uid = $root_uid"
+gid_setting="gid = $root_gid"
+if test x"$my_uid" != x"$root_uid"; then
+    uid_setting="#$uid_setting"
+    gid_setting="#$gid_setting"
+fi
+
+
+############################################################
+# Scenario 3b: --inplace --backup --backup-dir=cd
+#
+# Pre-create module/target.txt so the receiver enters the in-place
+# update path; a backup of the existing content must be made
+# before the update. With --backup-dir=cd, backupptr resolves to
+# "cd/target.txt"; with the bug, robust_unlink and the bare
+# do_open at generator.c:1905 both follow the cd symlink, the
+# unlink deletes outside/target.txt and the create writes the
+# pre-existing module/target.txt content there.
+############################################################
+
+setup
+echo "EXISTING_MODULE_DATA" > "$mod/target.txt"
+chmod 0666 "$mod/target.txt"
+echo "NEW_DATA_FROM_SENDER" > "$src/target.txt"
+chmod 0644 "$src/target.txt"
+
+cat > "$conf" <<EOF
+use chroot = no
+$uid_setting
+$gid_setting
+log file = $scratchdir/rsyncd.log
+[upload]
+    path = $mod
+    use chroot = no
+    read only = no
+EOF
+
+RSYNC_CONNECT_PROG="$RSYNC --config=$conf --daemon" \
+    $RSYNC --inplace --backup --backup-dir=cd "$src/target.txt" \
+    rsync://localhost/upload/target.txt >/dev/null 2>&1 || true
+
+verify_outside_unchanged "3b inplace+backup-dir=cd"
+
+
+############################################################
+# Scenario 3c-symlink: fake-super symlink push to a path with a
+# symlinked parent
+#
+# With "fake super = yes" set on the module, the receiver
+# represents symlinks as fake-super files (regular files with the
+# link target written to them). The path-based open() in
+# do_symlink's fake-super branch follows parent symlinks. We push
+# a single symlink to the destination path "cd/sym" so the
+# receiver's create-file call lands at "cd/sym" relative to the
+# module root, where cd is the symlink trap.
+############################################################
+
+setup
+
+mkdir -p "$src/cd"
+ln -s /etc/passwd "$src/cd/sym"
+
+cat > "$conf" <<EOF
+use chroot = no
+$uid_setting
+$gid_setting
+log file = $scratchdir/rsyncd.log
+[upload_fake]
+    path = $mod
+    use chroot = no
+    read only = no
+    fake super = yes
+EOF
+
+RSYNC_CONNECT_PROG="$RSYNC --config=$conf --daemon" \
+    $RSYNC -rl "$src/" rsync://localhost/upload_fake/ >/dev/null 2>&1 || true
+
+verify_outside_unchanged_or_absent "3c-symlink fake-super symlink push" "sym"
+
+
+############################################################
+# Scenario 3c-mknod: fake-super FIFO push to a path with a
+# symlinked parent
+#
+# Similar to 3c-symlink but for special files. mkfifo works
+# without root; we push a FIFO and verify the receiver doesn't
+# create a fake-super file at outside/fifo.
+############################################################
+
+setup
+
+mkdir -p "$src/cd"
+mkfifo "$src/cd/fifo" 2>/dev/null
+if [ ! -p "$src/cd/fifo" ]; then
+    test_skipped "mkfifo unavailable; cannot exercise 3c-mknod"
+fi
+
+cat > "$conf" <<EOF
+use chroot = no
+$uid_setting
+$gid_setting
+log file = $scratchdir/rsyncd.log
+[upload_fake]
+    path = $mod
+    use chroot = no
+    read only = no
+    fake super = yes
+EOF
+
+RSYNC_CONNECT_PROG="$RSYNC --config=$conf --daemon" \
+    $RSYNC -rD "$src/" rsync://localhost/upload_fake/ >/dev/null 2>&1 || true
+
+verify_outside_unchanged_or_absent "3c-mknod fake-super FIFO push" "fifo"
+
+exit 0

testsuite/chdir-symlink-race.test

@@ -0,0 +1,135 @@
+#!/bin/sh
+
+# Copyright (C) 2026 by Andrew Tridgell
+
+# This program is distributable under the terms of the GNU GPL (see
+# COPYING).
+
+# Regression test for the symlink-TOCTOU class of bug at the receiver's
+# chdir(). After the CVE-2026-29518 fix to secure_relative_open(), an
+# attack remained where the receiver's chdir() into a destination
+# subdirectory followed an attacker-planted symlink, escaping the
+# module. Every subsequent path-relative syscall (open, chmod, lchown,
+# utimes, etc.) inherited the escape -- secure_relative_open's
+# RESOLVE_BENEATH anchor itself was outside the module by then, so it
+# stopped protecting against anything.
+#
+# This test runs an actual rsync daemon (via RSYNC_CONNECT_PROG to
+# avoid the network) configured with "use chroot = no", plants a
+# symlink at module/subdir -> ../outside, and runs four flavours of
+# rsync transfer that previously all reached files in ../outside:
+#
+#   1. single-file dest = subdir/target.txt    (the original poc_chmod)
+#   2. -r src/subdir/ to upload/subdir/        (the chdir-escape case)
+#   3. -r src/subdir/ to upload/subdir/        (no --size-only: forces basis read+write)
+#   4. -r src/ to upload/                      (was already protected by the
+#                                               original CVE-2026-29518 fix;
+#                                               regression-checked here)
+#
+# All four must leave the outside-the-module sentinel file's mode AND
+# content unchanged.
+
+. "$suitedir/rsync.fns"
+
+case "$(uname -s)" in
+    SunOS|OpenBSD|NetBSD|CYGWIN*)
+	test_skipped "secure chdir relies on RESOLVE_BENEATH-equivalent kernel support not available on $(uname -s)"
+	;;
+esac
+
+mod="$scratchdir/module"
+outside="$scratchdir/outside"
+src="$scratchdir/src"
+conf="$scratchdir/test-rsyncd.conf"
+
+rm -rf "$mod" "$outside" "$src"
+mkdir -p "$mod" "$outside" "$src" "$src/subdir"
+
+# Portable octal-mode helper -- macOS and FreeBSD's stat use -f, GNU
+# coreutils stat uses -c.
+file_mode() {
+    stat -c %a "$1" 2>/dev/null || stat -f %Lp "$1"
+}
+
+# The "secret" file outside the module the attacker is trying to alter.
+# Save a pristine copy alongside it so we can compare with cmp(1) rather
+# than depending on sha1sum/shasum/sha1, which differ across platforms.
+echo "OUTSIDE_SECRET_DATA" > "$outside/target.txt"
+chmod 0600 "$outside/target.txt"
+outside_pristine="$scratchdir/outside-pristine.txt"
+cp -p "$outside/target.txt" "$outside_pristine"
+
+# Symlink trap planted in the module by the local attacker.
+ln -s "$outside" "$mod/subdir"
+
+# Source files the sender will push: same size as the outside target,
+# different content, mode 0666 (the perms the attacker tries to push).
+SIZE=$(stat -c %s "$outside/target.txt" 2>/dev/null \
+       || stat -f %z "$outside/target.txt")
+head -c "$SIZE" /dev/urandom > "$src/target.txt"
+head -c "$SIZE" /dev/urandom > "$src/subdir/target.txt"
+chmod 0666 "$src/target.txt" "$src/subdir/target.txt"
+
+cat > "$conf" <<EOF
+use chroot = no
+log file = $scratchdir/rsyncd.log
+[upload]
+    path = $mod
+    use chroot = no
+    read only = no
+EOF
+
+reset_outside() {
+    chmod 0600 "$outside/target.txt"
+    echo "OUTSIDE_SECRET_DATA" > "$outside/target.txt"
+}
+
+verify_unchanged() {
+    label="$1"
+    mode=$(file_mode "$outside/target.txt")
+    case "$mode" in
+	600|0600) ;;
+	*) test_fail "$label: outside file mode changed from 600 to $mode (chmod escape)" ;;
+    esac
+    if ! cmp -s "$outside/target.txt" "$outside_pristine"; then
+	test_fail "$label: outside file content changed (write escape)"
+    fi
+}
+
+run_attack() {
+    label="$1"; shift
+    reset_outside
+    RSYNC_CONNECT_PROG="$RSYNC --config=$conf --daemon" \
+	$RSYNC "$@" >/dev/null 2>&1 || true
+    verify_unchanged "$label"
+}
+
+# 1. The original poc_chmod scenario: single file, dest path with
+#    the symlinked subdir as a path component. With --size-only the
+#    receiver normally skips the basis open and goes straight to chmod
+#    -- only the chdir-escape blocks the chmod from reaching outside.
+run_attack "single-file --size-only" \
+    -tp --size-only \
+    "$src/target.txt" rsync://localhost/upload/subdir/target.txt
+
+# 2. -r push into the symlinked subdir: receiver chdir's into "subdir",
+#    follows the symlink, ends up in outside.
+run_attack "-r --size-only into subdir/" \
+    -rtp --size-only \
+    "$src/subdir/" rsync://localhost/upload/subdir/
+
+# 3. Same but no --size-only -- forces the basis-file open and a real
+#    rename, so this exercises the read-disclosure and write-escape
+#    paths together.
+run_attack "-r without --size-only into subdir/" \
+    -rtp \
+    "$src/subdir/" rsync://localhost/upload/subdir/
+
+# 4. -r src/ to upload/ -- this case was already covered by the
+#    original CVE-2026-29518 fix because the receiver stays at module
+#    root and operates on slashed paths. Regression check.
+run_attack "-r --size-only into upload/ root" \
+    -rtp --size-only \
+    "$src/" rsync://localhost/upload/
+
+exit 0

testsuite/chmod-symlink-race.test

@@ -0,0 +1,68 @@
+#!/bin/sh
+
+# Copyright (C) 2026 by Andrew Tridgell
+
+# This program is distributable under the terms of the GNU GPL (see
+# COPYING).
+
+# Regression test for the symlink-TOCTOU class of bug applied to
+# chmod() on the receiver side. The CVE-2026-29518 fix used
+# secure_relative_open() for the basis-file open, but every other
+# path-based syscall the receiver runs on sender-controllable paths
+# is vulnerable to the same primitive: a local attacker swaps a
+# symlink into one of the parent directory components between the
+# receiver's check and its act, and the syscall escapes the module.
+#
+# This test exercises the new do_chmod_at() wrapper via the
+# t_chmod_secure helper. The helper sets up two scenarios:
+#   - a parent dir-symlink that resolves WITHIN the module tree
+#     (legitimate -K-style use, must continue to work)
+#   - a parent dir-symlink that escapes the module tree (the
+#     attack, must be rejected)
+# plus two regression scenarios (plain relative path, top-level
+# file) that just confirm the safe wrapper doesn't break the
+# normal case.
+#
+# The kernel-enforced "stay below dirfd" path resolution is
+# only available on Linux 5.6+, FreeBSD 13+, and macOS 15+.
+# Skip on platforms that fall back to per-component O_NOFOLLOW
+# (Solaris, OpenBSD, NetBSD, Cygwin); the per-component fallback
+# would also reject the attack but the legitimate dir-symlink
+# scenario would fail there.
+
+. "$suitedir/rsync.fns"
+
+case "$(uname -s)" in
+    SunOS|OpenBSD|NetBSD|CYGWIN*)
+	test_skipped "do_chmod_at relies on RESOLVE_BENEATH-equivalent kernel support not available on $(uname -s)"
+	;;
+esac
+
+mod="$scratchdir/module"
+trap_outside="$scratchdir/trap"
+rm -rf "$mod" "$trap_outside"
+mkdir -p "$mod/realdir" "$trap_outside"
+
+# Set up the four file-system objects the helper expects:
+echo bystander > "$mod/realdir/sentinel"
+chmod 0600 "$mod/realdir/sentinel"
+echo target > "$trap_outside/sentinel"
+chmod 0600 "$trap_outside/sentinel"
+ln -s realdir "$mod/inside_link"
+ln -s ../trap "$mod/escape_link"
+echo top > "$mod/topfile"
+chmod 0600 "$mod/topfile"
+
+"$TOOLDIR/t_chmod_secure" "$mod" || \
+    test_fail "t_chmod_secure reported failures (see stderr above)"
+
+# Sanity-check from the shell side too: the outside file's mode must
+# still be 0600 -- the helper checked this, but a second look from
+# the shell guards against a helper-internal stat() bug.
+mode=$(stat -c '%a' "$trap_outside/sentinel" 2>/dev/null \
+       || stat -f '%Lp' "$trap_outside/sentinel" 2>/dev/null)
+if [ "$mode" != "600" ]; then
+    test_fail "outside sentinel mode changed from 600 to $mode -- chmod escaped the module"
+fi
+
+exit 0

testsuite/chown.test

@@ -15,7 +15,7 @@
 
 case $0 in
 *fake*)
-    $RSYNC --version | grep "[, ] xattrs" >/dev/null || test_skipped "Rsync needs xattrs for fake device tests"
+    $RSYNC -VV | grep '"xattrs": true' >/dev/null || test_skipped "Rsync needs xattrs for fake device tests"
     RSYNC="$RSYNC --fake-super"
     TLS_ARGS="$TLS_ARGS --fake-super"
     case "$HOST_OS" in

testsuite/clean-fname-underflow.test

@@ -0,0 +1,80 @@
+#!/bin/sh
+# clean-fname-underflow.test
+# Ensure clean_fname() does not read-before-buffer when collapsing "..".
+# This exercises the --server path where a crafted merge filename hits clean_fname().
+#
+# Usage:
+#   ./configure && make
+#   make check TESTS='clean-fname-underflow.test'
+
+set -eu
+
+# clean_fname() is platform-agnostic; the test only needs to run on one
+# host. Skip on non-Linux to avoid quirks in older /bin/sh implementations
+# (Solaris exited silently here, producing an empty log under set -eu).
+# runtests.sh expects $scratchdir/whyskipped to exist when a test exits 77.
+case "$(uname -s)" in
+  Linux) ;;
+  *)
+    if [ -n "${scratchdir:-}" ]; then
+      echo "Linux-only test (uname -s = $(uname -s))" > "$scratchdir/whyskipped"
+    fi
+    exit 77 ;;
+esac
+
+# Try to find the just-built rsync binary if RSYNC_BIN isn't set.
+if [ -z "${RSYNC_BIN:-}" ]; then
+  if [ -x "./rsync" ]; then
+    RSYNC_BIN=$(pwd)/rsync
+  elif [ -x "../rsync" ]; then
+    RSYNC_BIN=$(cd .. && pwd)/rsync
+  else
+    RSYNC_BIN=rsync
+  fi
+fi
+
+workdir="${TMPDIR:-/tmp}/rsync-clean-fname.$$"
+mkdir -p "$workdir"
+trap 'rm -rf "$workdir"' EXIT INT TERM
+cd "$workdir"
+
+# Minimal rsyncd.conf using chroot so the crafted path reaches the server parser.
+cat > rsyncd.conf <<'EOF'
+pid file = rsyncd.pid
+use chroot = true
+[mod]
+    path = ./mod
+    read only = false
+EOF
+mkdir -p mod
+
+# Start daemon on a random high port.
+PORT=$(awk 'BEGIN{srand(); printf "%d", 20000+int(rand()*20000)}')
+"$RSYNC_BIN" --daemon --no-detach --config=rsyncd.conf --port="$PORT" >/dev/null 2>&1 &
+DAEMON_PID=$!
+# Give the daemon a moment to come up.
+# Use integer second; subsecond sleep is not portable (e.g. Solaris /usr/bin/sleep).
+sleep 1
+
+# Invoke the server-side path. We don't need a real transfer; we just want to
+# ensure clean_fname() doesn't crash when given "a/../test" via --filter=merge.
+EXIT_OK=0
+if "$RSYNC_BIN"     --server --sender -vlr     --filter='merge a/../test'     . mod/  >/dev/null 2>&1; then
+  EXIT_OK=1
+else
+  status=$?
+  # Non-zero exit is expected for bogus input; ensure it wasn't a signal/crash.
+  if [ $status -lt 128 ]; then
+    EXIT_OK=1
+  fi
+fi
+
+kill "$DAEMON_PID" >/dev/null 2>&1 || true
+
+if [ "$EXIT_OK" -ne 1 ]; then
+  echo "clean-fname-underflow.test: rsync exited due to a signal or unexpected status"
+  exit 1
+fi
+
+echo "OK: clean_fname() handled 'a/../test' without crashing"
+exit 0

testsuite/compare-dest.test

@@ -1,37 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2004-2022 Wayne Davison
-
-# This program is distributable under the terms of the GNU GPL (see
-# COPYING).
-
-# Test rsync handling of the --compare-dest option.
-
-. "$suitedir/rsync.fns"
-
-alt1dir="$tmpdir/alt1"
-alt2dir="$tmpdir/alt2"
-
-# Build some files/dirs/links to copy
-
-hands_setup
-
-# Setup the alt and chk dirs
-$RSYNC -av --include=text --include='*/' --exclude='*' "$fromdir/" "$alt1dir/"
-$RSYNC -av --include=etc-ltr-list --include='*/' --exclude='*' "$fromdir/" "$alt2dir/"
-
-sleep 1
-touch "$fromdir/dir/text"
-
-$RSYNC -av --exclude=/text --exclude=etc-ltr-list "$fromdir/" "$chkdir/"
-
-# Let's do it!
-checkit "$RSYNC -avv --no-whole-file \
-    --compare-dest='$alt1dir' --compare-dest='$alt2dir' \
-    '$fromdir/' '$todir/'" "$chkdir" "$todir"
-checkit "$RSYNC -avv --no-whole-file \
-    --copy-dest='$alt1dir' --copy-dest='$alt2dir' \
-    '$fromdir/' '$todir/'" "$fromdir" "$todir"
-
-# The script would have aborted on error, so getting here means we've won.
-exit 0

testsuite/copy-dest-source-symlink.test

@@ -0,0 +1,98 @@
+#!/bin/sh
+
+# Copyright (C) 2026 by Andrew Tridgell
+
+# This program is distributable under the terms of the GNU GPL (see
+# COPYING).
+
+# Regression test for codex audit Finding 3a: copy_file()'s source
+# open in copy_altdest_file() is via do_open_nofollow(), which only
+# refuses a final-component symlink. Parent components are still
+# resolved with normal symlink-following. A daemon module attacker
+# who plants a parent symlink at module/cd -> /outside, then runs
+# --copy-dest=cd against a source file matching the size+mtime of
+# /outside/target.txt, drives the receiver to:
+#
+#   1. Find a match-level >= 2 basis at "cd/target.txt"
+#   2. Call copy_altdest_file -> copy_file(src="cd/target.txt", ...)
+#   3. do_open_nofollow follows the "cd" parent symlink and reads
+#      the contents of /outside/target.txt under the daemon's
+#      authority
+#   4. Copy that content into the module destination
+#
+# Result: outside/target.txt content lands at module/target.txt,
+# accessible to the attacker on a subsequent pull.
+#
+# We detect by content: src/target.txt and outside/target.txt have
+# identical metadata (size + mtime + mode) but different content.
+# After the transfer, module/target.txt should match src (no
+# basedir escape) -- if it matches outside, the bug copied across
+# the symlink boundary.
+
+. "$suitedir/rsync.fns"
+
+mod="$scratchdir/module"
+outside="$scratchdir/outside"
+src="$scratchdir/src"
+conf="$scratchdir/test-rsyncd.conf"
+
+rm -rf "$mod" "$outside" "$src"
+mkdir -p "$mod" "$outside" "$src"
+
+# Outside-the-module file the daemon should not read on the
+# attacker's behalf.
+echo "OUTSIDE_LEAKED_DATA!" > "$outside/target.txt"
+chmod 0644 "$outside/target.txt"
+
+# The symlink trap.
+ln -s "$outside" "$mod/cd"
+
+# Source: same size, same mtime, same mode as outside -- so the
+# generator's link_stat + quick_check_ok finds a match-level >= 2
+# basis and calls copy_altdest_file.
+echo "ATTACKER_KNOWN_DATA!" > "$src/target.txt"
+touch -r "$outside/target.txt" "$src/target.txt"
+chmod 0644 "$src/target.txt"
+
+# When running as root the daemon would drop to "nobody" by
+# default and fail to mkstemp in the scratch dir; force it to
+# keep our uid/gid in that case.
+my_uid=`get_testuid`
+root_uid=`get_rootuid`
+root_gid=`get_rootgid`
+uid_setting="uid = $root_uid"
+gid_setting="gid = $root_gid"
+if test x"$my_uid" != x"$root_uid"; then
+    uid_setting="#$uid_setting"
+    gid_setting="#$gid_setting"
+fi
+
+cat > "$conf" <<EOF
+use chroot = no
+$uid_setting
+$gid_setting
+log file = $scratchdir/rsyncd.log
+[upload]
+    path = $mod
+    use chroot = no
+    read only = no
+EOF
+
+# --copy-dest push to module root.
+RSYNC_CONNECT_PROG="$RSYNC --config=$conf --daemon" \
+    $RSYNC -rtp --copy-dest=cd "$src/" rsync://localhost/upload/ \
+    >/dev/null 2>&1 || true
+
+if [ ! -f "$mod/target.txt" ]; then
+    test_fail "destination file was not created -- daemon transfer failed before the test could observe the basedir behaviour"
+fi
+
+if cmp -s "$mod/target.txt" "$outside/target.txt"; then
+    test_fail "basedir-escape via copy_file source: module/target.txt now contains the contents of outside/target.txt -- daemon read /outside via the cd symlink and copied it into the module"
+fi
+
+if ! cmp -s "$mod/target.txt" "$src/target.txt"; then
+    test_fail "destination doesn't match source content (and isn't outside content either): unexpected state"
+fi
+
+exit 0

testsuite/crtimes.test

@@ -4,7 +4,7 @@
 
 . "$suitedir/rsync.fns"
 
-$RSYNC --version | grep "[, ] crtimes" >/dev/null || test_skipped "Rsync is configured without crtimes support"
+$RSYNC -VV | grep '"crtimes": true' >/dev/null || test_skipped "Rsync is configured without crtimes support"
 
 # Setting an older time via touch sets the create time to the mtime.
 # Setting it to a newer time affects just the mtime.

testsuite/daemon-chroot-acl.test

@@ -0,0 +1,111 @@
+#!/bin/sh
+
+# Copyright (C) 2026 by Andrew Tridgell
+
+# This program is distributable under the terms of the GNU GPL (see
+# COPYING).
+
+# Regression test for GHSA-rjfm-3w2m-jf4f: a hostname-based "hosts deny"
+# rule must still match when the daemon performs a 'daemon chroot' and
+# the chroot does not contain the NSS files glibc needs for reverse DNS.
+#
+# Pre-fix, reverse DNS happened *after* the daemon chroot. With an empty
+# chroot the NSS lookup failed, client_name() returned "UNKNOWN", and a
+# deny rule referring to the connecting hostname silently failed to
+# match.
+#
+# Two scenarios are exercised so we can distinguish the case the fix
+# definitely covers from the per-module path that may still be
+# vulnerable:
+#   A. global  "reverse lookup = yes"           (covered by b6abdb4c)
+#   B. only module "reverse lookup = yes"       (gap to verify)
+
+. "$suitedir/rsync.fns"
+
+case `uname -s` in
+Linux*) ;;
+*) test_skipped "test is Linux-specific (uses chroot+unshare)" ;;
+esac
+
+# We need CAP_SYS_CHROOT. Re-exec under a user namespace if not root.
+if ! chroot / /bin/true 2>/dev/null; then
+    if [ -z "$RSYNC_UNSHARED" ] && unshare --user --map-root-user true 2>/dev/null; then
+	echo "Re-running under unshare --user --map-root-user..."
+	RSYNC_UNSHARED=1 exec unshare --user --map-root-user "$SHELL_PATH" $RUNSHFLAGS "$0"
+    fi
+    test_skipped "need CAP_SYS_CHROOT (root or unshare --user --map-root-user)"
+fi
+
+# We need 127.0.0.1 to reverse-resolve to a real hostname while NSS is
+# still working (i.e. before the daemon's chroot). The daemon will
+# look that name up itself as part of its hostname-based ACL check;
+# we then deny that name and assert the connection is rejected.
+client_hostname=`getent hosts 127.0.0.1 2>/dev/null | awk 'NR==1 {print $2}'`
+if [ -z "$client_hostname" ] || [ "$client_hostname" = "127.0.0.1" ]; then
+    test_skipped "no reverse DNS for 127.0.0.1"
+fi
+
+chrootdir="$scratchdir/chroot"
+rm -rf "$chrootdir"
+mkdir -p "$chrootdir/modroot"
+echo "from chroot" > "$chrootdir/modroot/file1"
+
+conf="$scratchdir/test-rsyncd.conf"
+logfile="$scratchdir/rsyncd.log"
+
+write_conf() {
+    cat >"$conf" <<EOF
+use chroot = no
+log file = $logfile
+daemon chroot = $chrootdir
+reverse lookup = $1
+hosts deny = $client_hostname
+max verbosity = 4
+
+[chrootmod]
+    path = /modroot
+    read only = yes
+    reverse lookup = $2
+EOF
+}
+
+# Run a transfer and return 0 if the daemon refused with @ERROR access
+# denied (the expected outcome when the deny rule matches).
+run_check() {
+    label="$1"
+
+    rm -f "$logfile"
+    rm -rf "$todir"
+    mkdir -p "$todir"
+
+    out="$scratchdir/run.out"
+
+    RSYNC_CONNECT_PROG="$RSYNC --config=$conf --daemon" \
+	$RSYNC -av localhost::chrootmod/ "$todir/" >"$out" 2>&1
+    rc=$?
+
+    echo "----- $label (rsync exit $rc):"
+    cat "$out"
+    echo "----- daemon log:"
+    [ -f "$logfile" ] && cat "$logfile"
+    echo "-----"
+
+    grep -q '@ERROR.*access denied' "$out"
+}
+
+# Scenario A: global reverse lookup. Covered by b6abdb4c.
+write_conf yes yes
+if ! run_check "Scenario A (global reverse lookup = yes)"; then
+    test_fail "Scenario A: hostname deny rule was bypassed"
+fi
+
+# Scenario B: only the per-module reverse-lookup setting is enabled.
+# The b6abdb4c fix only pre-warms client_name()'s cache when the
+# global setting is on, so the post-chroot lookup in this path may
+# still produce "UNKNOWN" and bypass the deny rule.
+write_conf no yes
+if ! run_check "Scenario B (per-module reverse lookup only)"; then
+    test_fail "Scenario B: hostname deny rule was bypassed (per-module reverse lookup with daemon chroot still has the bypass)"
+fi
+
+exit 0

testsuite/daemon-refuse-compress.test

@@ -0,0 +1,51 @@
+#!/bin/sh
+
+# Copyright (C) 2026 by Andrew Tridgell
+
+# This program is distributable under the terms of the GNU GPL (see
+# COPYING).
+
+# Test that a daemon module configured with "refuse options = compress"
+# rejects clients that ask for compression and still serves the same
+# transfer when the client does not.
+
+. "$suitedir/rsync.fns"
+
+build_rsyncd_conf
+
+# Append a module that refuses --compress (-z).
+cat >>"$conf" <<EOF
+
+[no-compress]
+	path = $fromdir
+	read only = yes
+	refuse options = compress
+EOF
+
+RSYNC_CONNECT_PROG="$RSYNC --config=$conf --daemon"
+export RSYNC_CONNECT_PROG
+
+hands_setup
+
+# Build a reference tree mirroring the daemon's global exclude rule.
+$RSYNC -av --exclude=foobar.baz "$fromdir/" "$chkdir/"
+
+# A compressed transfer must be refused.
+errlog="$scratchdir/refuse.err"
+if $RSYNC -avz localhost::no-compress/ "$todir/" >/dev/null 2>"$errlog"; then
+    cat "$errlog" >&2
+    test_fail "compressed transfer was not refused"
+fi
+
+grep -- '--compress' "$errlog" >/dev/null || {
+    cat "$errlog" >&2
+    test_fail "expected refuse error mentioning --compress"
+}
+
+# The same transfer without -z must succeed.
+rm -rf "$todir"
+mkdir "$todir"
+checkit "$RSYNC -av localhost::no-compress/ '$todir/'" "$chkdir" "$todir"
+
+# The script would have aborted on error, so getting here means we've won.
+exit 0

testsuite/daemon.test

@@ -81,7 +81,7 @@ drwxr-xr-x         DIR ####/##/## ##:##:## foo
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 3 failed"
 
-if $RSYNC --version | grep "[, ] atimes" >/dev/null; then
+if $RSYNC -VV | grep '"atimes": true' >/dev/null; then
     checkdiff "$RSYNC -rU localhost::test-from/f*" \
 	"sed -e '$FILE_REPL' -e '$DIR_REPL' -e '$LS_REPL'" <<EOT
 drwxr-xr-x         DIR ####/##/## ##:##:##                     foo

testsuite/devices.test

@@ -13,7 +13,7 @@
 
 case $0 in
 *fake*)
-    $RSYNC --version | grep "[, ] xattrs" >/dev/null || test_skipped "Rsync needs xattrs for fake device tests"
+    $RSYNC -VV | grep '"xattrs": true' >/dev/null || test_skipped "Rsync needs xattrs for fake device tests"
     RSYNC="$RSYNC --fake-super"
     TLS_ARGS="$TLS_ARGS --fake-super"
     case "$HOST_OS" in
@@ -94,7 +94,7 @@ esac
 
 # TODO: Need to test whether hardlinks are possible on this OS/filesystem
 
-$RSYNC --version | grep "[, ] hardlink-special" >/dev/null && CAN_HLINK_SPECIAL=yes || CAN_HLINK_SPECIAL=no
+$RSYNC -VV | grep '"hardlink_specials": true' >/dev/null && CAN_HLINK_SPECIAL=yes || CAN_HLINK_SPECIAL=no
 
 mkdir "$fromdir"
 mkdir "$todir"

testsuite/exclude-lsh.test

@@ -0,0 +1 @@
+exclude.test

testsuite/exclude.test

@@ -15,6 +15,19 @@
 CVSIGNORE='*.junk'
 export CVSIGNORE
 
+case $0 in
+*-lsh.*)
+    RSYNC_RSH="$scratchdir/src/support/lsh.sh"
+    export RSYNC_RSH
+    rpath=" --rsync-path='$RSYNC'"
+    host='lh:'
+    ;;
+*)
+    rpath=''
+    host=''
+    ;;
+esac
+
 # Build some files/dirs/links to copy
 
 makepath "$fromdir/foo/down/to/you"
@@ -106,8 +119,8 @@ home-cvs-exclude
 EOF
 
 # Start with a check of --prune-empty-dirs:
-$RSYNC -av -f -_foo/too/ -f -_foo/down/ -f -_foo/and/ -f -_new/ "$fromdir/" "$chkdir/"
-checkit "$RSYNC -av --prune-empty-dirs '$fromdir/' '$todir/'" "$chkdir" "$todir"
+$RSYNC -av --rsync-path="$RSYNC" -f -_foo/too/ -f -_foo/down/ -f -_foo/and/ -f -_new/ "$host$fromdir/" "$chkdir/"
+checkit "$RSYNC -av$rpath --prune-empty-dirs '$host$fromdir/' '$todir/'" "$chkdir" "$todir"
 rm -rf "$todir"
 
 # Add a directory symlink.
@@ -120,7 +133,7 @@ touch "$scratchdir/up1/same-newness" "$scratchdir/up2/same-newness"
 touch "$scratchdir/up1/extra-src" "$scratchdir/up2/extra-dest"
 
 # Create chkdir with what we expect to be excluded.
-checkit "$RSYNC -avv '$fromdir/' '$chkdir/'" "$fromdir" "$chkdir"
+checkit "$RSYNC -avv$rpath '$host$fromdir/' '$chkdir/'" "$fromdir" "$chkdir"
 sleep 1 # Ensures that the rm commands will tweak the directory times.
 rm -r "$chkdir"/foo/down
 rm -r "$chkdir"/mid/for/foo/and
@@ -135,12 +148,12 @@ touch "$scratchdir/up1/src-newness" "$scratchdir/up2/dst-newness"
 
 # Un-tweak the directory times in our first (weak) exclude test (though
 # it's a good test of the --existing option).
-$RSYNC -av --existing --include='*/' --exclude='*' "$fromdir/" "$chkdir/"
+$RSYNC -av --rsync-path="$RSYNC" --existing --include='*/' --exclude='*' "$host$fromdir/" "$chkdir/"
 
 # Now, test if rsync excludes the same files.
 
-checkit "$RSYNC -avv --exclude-from='$excl' \
-    --delete-during '$fromdir/' '$todir/'" "$chkdir" "$todir"
+checkit "$RSYNC -avv$rpath --exclude-from='$excl' \
+    --delete-during '$host$fromdir/' '$todir/'" "$chkdir" "$todir"
 
 # Modify the chk dir by removing cvs-ignored files and then tweaking the dir times.
 
@@ -150,13 +163,15 @@ rm "$chkdir"/bar/down/to/foo/*.junk
 rm "$chkdir"/bar/down/to/home-cvs-exclude
 rm "$chkdir"/mid/one-in-one-out
 
-$RSYNC -av --existing --filter='exclude,! */' "$fromdir/" "$chkdir/"
+$RSYNC -av --rsync-path="$RSYNC" --existing --filter='exclude,! */' "$host$fromdir/" "$chkdir/"
 
 # Now, test if rsync excludes the same files, this time with --cvs-exclude
 # and --delete-excluded.
 
-checkit "$RSYNC -avvC --filter='merge $excl' --delete-excluded \
-    --delete-during '$fromdir/' '$todir/'" "$chkdir" "$todir"
+# The -C option gets applied in a different order when pushing & pulling, so we instead
+# add the 2 --cvs-exclude filter rules (":C" & "-C") via -f to keep the order the same.
+checkit "$RSYNC -avv$rpath --filter='merge $excl' -f:C -f-C --delete-excluded \
+    --delete-during '$host$fromdir/' '$todir/'" "$chkdir" "$todir"
 
 # Modify the chk dir for our merge-exclude test and then tweak the dir times.
 
@@ -165,19 +180,19 @@ rm "$chkdir"/bar/down/to/bar/baz/*.deep
 cp_touch "$fromdir"/bar/down/to/foo/*.junk "$chkdir"/bar/down/to/foo
 cp_touch "$fromdir"/bar/down/to/foo/to "$chkdir"/bar/down/to/foo
 
-$RSYNC -av --existing -f 'show .filt*' -f 'hide,! */' --del "$fromdir/" "$todir/"
+$RSYNC -av --rsync-path="$RSYNC" --existing -f 'show .filt*' -f 'hide,! */' --del "$host$fromdir/" "$todir/"
 
 echo retained >"$todir"/bar/down/to/bar/baz/nodel.deep
 cp_touch "$todir"/bar/down/to/bar/baz/nodel.deep "$chkdir"/bar/down/to/bar/baz
 
-$RSYNC -av --existing --filter='-! */' "$fromdir/" "$chkdir/"
+$RSYNC -av --rsync-path="$RSYNC" --existing --filter='-! */' "$host$fromdir/" "$chkdir/"
 
 # Now, test if rsync excludes the same files, this time with a merge-exclude
 # file.
 
 checkit "sed '/!/d' '$excl' |
-    $RSYNC -avv -f dir-merge_.filt -f merge_- \
-    --delete-during '$fromdir/' '$todir/'" "$chkdir" "$todir"
+    $RSYNC -avv$rpath -f dir-merge_.filt -f merge_- \
+    --delete-during '$host$fromdir/' '$todir/'" "$chkdir" "$todir"
 
 # Remove the files that will be deleted.
 
@@ -188,14 +203,14 @@ rm "$chkdir"/bar/down/to/foo/.filt2
 rm "$chkdir"/bar/down/to/bar/.filt2
 rm "$chkdir"/mid/.filt
 
-$RSYNC -av --protocol=28 --existing --include='*/' --exclude='*' "$fromdir/" "$chkdir/"
+$RSYNC -av --rsync-path="$RSYNC" --existing --include='*/' --exclude='*' "$host$fromdir/" "$chkdir/"
 
 # Now, try the prior command with --delete-before and some side-specific
 # rules.
 
 checkit "sed '/!/d' '$excl' |
-    $RSYNC -avv -f :s_.filt -f .s_- -f P_nodel.deep \
-    --delete-before '$fromdir/' '$todir/'" "$chkdir" "$todir"
+    $RSYNC -avv$rpath -f :s_.filt -f .s_- -f P_nodel.deep \
+    --delete-before '$host$fromdir/' '$todir/'" "$chkdir" "$todir"
 
 # Next, we'll test some rule-restricted filter files.
 
@@ -206,26 +221,26 @@ cat >"$fromdir/bar/down/to/foo/.excl" <<EOF
 + file3
 *.bak
 EOF
-$RSYNC -av --del "$fromdir/" "$chkdir/"
+$RSYNC -av --rsync-path="$RSYNC" --del "$host$fromdir/" "$chkdir/"
 rm "$chkdir/bar/down/to/foo/file1.bak"
 rm "$chkdir/bar/down/to/foo/file3"
 rm "$chkdir/bar/down/to/foo/+ file3"
-$RSYNC -av --existing --filter='-! */' "$fromdir/" "$chkdir/"
-$RSYNC -av --delete-excluded --exclude='*' "$fromdir/" "$todir/"
+$RSYNC -av --rsync-path="$RSYNC" --existing --filter='-! */' "$host$fromdir/" "$chkdir/"
+$RSYNC -av --rsync-path="$RSYNC" --delete-excluded --exclude='*' "$host$fromdir/" "$todir/"
 
-checkit "$RSYNC -avv -f dir-merge,-_.excl \
-    '$fromdir/' '$todir/'" "$chkdir" "$todir"
+checkit "$RSYNC -avv$rpath -f dir-merge,-_.excl \
+    '$host$fromdir/' '$todir/'" "$chkdir" "$todir"
 
 relative_opts='--relative --chmod=Du+w --copy-unsafe-links'
-$RSYNC -av $relative_opts "$fromdir/foo" "$chkdir/"
+$RSYNC -av --rsync-path="$RSYNC" $relative_opts "$host$fromdir/foo" "$chkdir/"
 rm -rf "$chkdir$fromdir/foo/down"
 $RSYNC -av $relative_opts --existing --filter='-! */' "$fromdir/foo" "$chkdir/"
 
-checkit "$RSYNC -avv $relative_opts --exclude='$fromdir/foo/down' \
-    '$fromdir/foo' '$todir'" "$chkdir$fromdir/foo" "$todir$fromdir/foo"
+checkit "$RSYNC -avv$rpath $relative_opts --exclude='$fromdir/foo/down' \
+    '$host$fromdir/foo' '$todir'" "$chkdir$fromdir/foo" "$todir$fromdir/foo"
 
 # Now we'll test the --update option.
-checkdiff "$RSYNC -aiiO --update --info=skip '$scratchdir/up1/' '$scratchdir/up2/'" \
+checkdiff "$RSYNC -aiiO$rpath --update --info=skip '$host$scratchdir/up1/' '$scratchdir/up2/'" \
 	"grep -v '^\.d$allspace'" <<EOT
 dst-newness is newer
 >f$all_plus extra-src

testsuite/itemize.test

@@ -25,7 +25,7 @@ ln "$fromdir/foo/config1" "$fromdir/foo/extra"
 rm -f "$to2dir"
 
 # Check if rsync is set to hard-link symlinks.
-if $RSYNC --version | grep "[, ] hardlink-symlinks" >/dev/null; then
+if $RSYNC -VV | grep '"hardlink_symlinks": true' >/dev/null; then
     L=hL
     sym_dots="$allspace"
     L_sym_dots=".L$allspace"
@@ -45,7 +45,7 @@ case "$RSYNC" in
     T=.T
     ;;
 *)
-    if $RSYNC --version | grep "[, ] symtimes" >/dev/null; then
+    if $RSYNC -VV | grep '"symtimes": true' >/dev/null; then
 	T=.t
     else
 	T=.T