From: Andrew Tridgell Date: Sat, 23 Aug 2025 09:14:59 +0000 (+1000) Subject: util: fixed issue in clean_fname() X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e0898460d5ff17470c62c552b84b881ed4a3c72;p=thirdparty%2Frsync.git util: fixed issue in clean_fname() fixes buffer underflow (not exploitable) in clean_fname --- diff --git a/util1.c b/util1.c index d84bc414..e65e0568 100644 --- a/util1.c +++ b/util1.c @@ -942,7 +942,7 @@ int count_dir_elements(const char *p) * resulting name would be empty, returns ".". */ int clean_fname(char *name, int flags) { - char *limit = name - 1, *t = name, *f = name; + char *limit = name, *t = name, *f = name; int anchored; if (!name) @@ -987,9 +987,13 @@ int clean_fname(char *name, int flags) f += 2; continue; } - while (s > limit && *--s != '/') {} - if (s != t - 1 && (s < name || *s == '/')) { - t = s + 1; + /* backing up for ".." — avoid reading before 'name' */ + while (s > limit && s[-1] != '/') + s--; + + /* If found prior '/', or we reached the start, adjust t. */ + if (s != t - 1 && (s <= name || *s == '/')) { + t = (s == name) ? name : s + 1; f += 2; continue; }