Since 3.0.8 (the same in 3.1) we have this around line 300 in socket.c:
break;
}
freeaddrinfo(res0);
if (s < 0) {
char buf[2048];
for (res = res0, j = 0; res; res = res->ai_next, j++) {
if (errnos[j] == 0)
continue;
if (inet_ntop(res->ai_family, res->ai_addr->sa_data + 2, buf,
sizeof buf) == NULL)
strlcpy(buf, "*inet_ntop failed*", sizeof buf);
rsyserr(FERROR, errnos[j], "failed to connect to %s (%s)", h, buf);
}
s = -1;
}
res0 is freed but keeps its value so there's access to freed memory in
res->ai* in the call of inet_ntop if s < 0. This might explain why
we've got a few cases of inet_top failed in the logs. I suggest the
attached obvious patch.
patch
Description: Binary data
-- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
