From 6aa7ee6ba1bd71b1b7bac7dbb351ed05c065e93d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 22 Apr 2026 09:57:45 +1000 Subject: [PATCH] xattrs: fixed count in qsort this fixes the count passed to the sort of the xattr list. This issue was reported here: https://www.openwall.com/lists/oss-security/2026/04/16/2 the bug is not exploitable due to the fork-per-connection design of rsync, the attack is the equivalent of the user closing the socket themselves. --- xattrs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xattrs.c b/xattrs.c index 26e50a6f9..65166eed9 100644 --- a/xattrs.c +++ b/xattrs.c @@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file) rxa->num = num; } - if (need_sort && count > 1) - qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names); + if (need_sort && temp_xattr.count > 1) + qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names); ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */