From: Natanael Copa <ncopa@alpinelinux.org>
Date: Wed, 15 Jan 2025 14:48:04 +0000 (+0100)
Subject: Fix use-after-free in generator
X-Git-Tag: v3.4.1~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=81ead9e70c7b9ee1bf3d1df09ace7df95934c5b8;p=thirdparty%2Frsync.git

Fix use-after-free in generator

full_fname() will free the return value in the next call so we need to
duplicate it before passing it to rsyserr.

Fixes: https://github.com/RsyncProject/rsync/issues/704
---

diff --git a/generator.c b/generator.c
index 3f13bb95..b56fa569 100644
--- a/generator.c
+++ b/generator.c
@@ -2041,8 +2041,12 @@ int atomic_create(struct file_struct *file, char *fname, const char *slnk, const
 
 	if (!skip_atomic) {
 		if (do_rename(tmpname, fname) < 0) {
+			char *full_tmpname = strdup(full_fname(tmpname));
+			if (full_tmpname == NULL)
+				out_of_memory("atomic_create");
 			rsyserr(FERROR_XFER, errno, "rename %s -> \"%s\" failed",
-				full_fname(tmpname), full_fname(fname));
+				full_tmpname, full_fname(fname));
+			free(full_tmpname);
 			do_unlink(tmpname);
 			return 0;
 		}