From: Andrew Tridgell <andrew@tridgell.net>
Date: Tue, 21 Apr 2026 23:57:45 +0000 (+1000)
Subject: xattrs: fixed count in qsort
X-Git-Tag: v3.4.2~13
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c;p=thirdparty%2Frsync.git

xattrs: fixed count in qsort

this fixes the count passed to the sort of the xattr list. This issue
was reported here:

https://www.openwall.com/lists/oss-security/2026/04/16/2

the bug is not exploitable due to the fork-per-connection design of
rsync, the attack is the equivalent of the user closing the socket
themselves.
---

diff --git a/xattrs.c b/xattrs.c
index 26e50a6f..65166eed 100644
--- a/xattrs.c
+++ b/xattrs.c
@@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file)
 		rxa->num = num;
 	}
 
-	if (need_sort && count > 1)
-		qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names);
+	if (need_sort && temp_xattr.count > 1)
+		qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names);
 
 	ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */