mirror of
https://github.com/RsyncProject/rsync.git
synced 2026-05-12 00:46:09 -04:00
d1df0aaf70
The len field in the proxy v2 header was declared as signed char, allowing a negative size to bypass the validation check and cause a stack buffer overflow when passed to read_buf() as size_t. This bug was reported by John Walker from ZeroPath, many thanks for the clear report! With the current code this bug does not represent a security issue as it only results in the exit of the forked process that is specific to the attached client, so it is equivalent to the client closing the socket, so no CVE for this, but it is good to fix it to prevent a future issue.
14 KiB
14 KiB