bug-inetutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] inetutils: fix the rcp couldn't copy subdirectory issue


From: Zhixiong Chi
Subject: [PATCH] inetutils: fix the rcp couldn't copy subdirectory issue
Date: Sun, 22 Dec 2019 23:10:24 -0800

The namebuf will get the same allocation address as the one before
free operation, at the same time because of the recursive call for
sink function, the targ and namebuf point the same address, then it
cause the namebuf will get the wrong value with the snprintf function.
Since the snprintf function doesn't like the strcpy function which
can overwrite the destination.
eg:
 char tmp[20] = "test";
 snprintf(tmp,20,"%s%s",tmp,"yes");
The result of tmp -> yes. It will cause the wrong value.

The sink function flow is as follows:
 >sink(int argc, char*argv[])
 >{
 > ...
 > targ = *argv;
 > static char *namebuf = NULL;
 > free (namebuf);
 > namebuf = malloc (need);
 > snprintf (namebuf, cursize, "%s%s%s", targ, *targ ? "/" : "", cp);
 > np = namebuf;
 > vect[0] = np;
 > sink (1, vect);
 > ...
 >}

At the same time, we couldn't add the condition(need > corsize),
the same snprintf issue still exists. for example:
#ls rccopy/*/*
rccopy/fold1/1  rccopy/fold2/2  rccopy/fold3/3

Since the cursize static variable is still the old value after copying the
rccopy/fold1/1, when it copys the directory rccopy/fold2 during recursive,
the value of need < cursize, the namebuf still use the old vlaue without being
allocated the new space, the incorrect namebuf value issue is still here.

Signed-off-by: Zhixiong Chi <address@hidden>
Index: inetutils-1.9.4/src/rcp.c
===================================================================
--- inetutils-1.9.4.orig/src/rcp.c
+++ inetutils-1.9.4/src/rcp.c
@@ -881,6 +881,7 @@ sink (int argc, char *argv[])
   int setimes, targisdir, wrerrno;
   char ch, *cp, *np, *targ, *vect[1], buf[BUFSIZ];
   const char *why;
+  static char *namebuf = NULL;
 
 #define atime  tv[0]
 #define mtime  tv[1]
@@ -988,25 +989,14 @@ sink (int argc, char *argv[])
        SCREWUP ("size not delimited");
       if (targisdir)
        {
-         static char *namebuf = NULL;
-         static size_t cursize = 0;
          size_t need;
 
          need = strlen (targ) + strlen (cp) + 250;
-         if (need > cursize)
+         if (!(namebuf = malloc (need)));
            {
-             free (namebuf);
-             namebuf = malloc (need);
-             if (namebuf)
-               cursize = need;
-             else
-               {
-                 run_err ("%s", strerror (errno));
-                 cursize = 0;
-                 continue;
-               }
+             run_err ("%s", strerror (errno));
            }
-         snprintf (namebuf, cursize, "%s%s%s", targ, *targ ? "/" : "", cp);
+         snprintf (namebuf, need, "%s%s%s", targ, *targ ? "/" : "", cp);
          np = namebuf;
        }
       else
@@ -1163,6 +1153,8 @@ sink (int argc, char *argv[])
          break;
        }
     }
+    if (namebuf)
+      free(namebuf);
 screwup:
   run_err ("protocol error: %s", why);
   exit (EXIT_FAILURE);



reply via email to

[Prev in Thread] Current Thread [Next in Thread]