From 50f0add12a4856f6e7d5e6d1b18530fea05d50e6 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Tue, 30 Dec 2025 18:49:34 +1100
Subject: [PATCH 24/60] reject negative token values in compressed stream
 receivers

Validate that token numbers read from compressed streams are
non-negative. A negative token value would cause the return value
of recv_*_token() to become positive, which callers interpret as
literal data length, but no data pointer is set on this code path.

While this only causes the receiver to crash (which is process-isolated
and only affects the attacker's own connection), it's still undefined
behavior.

Reported-by: Will Sergeant <wlsergeant@gmail.com>
---
 token.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

Index: rsync-3.1.3/token.c
===================================================================
--- rsync-3.1.3.orig/token.c
+++ rsync-3.1.3/token.c
@@ -530,8 +530,13 @@ static int32 recv_deflated_token(int f,
 			if (flag & TOKEN_REL) {
 				rx_token += flag & 0x3f;
 				flag >>= 6;
-			} else
+			} else {
 				rx_token = read_int(f);
+				if (rx_token < 0) {
+					rprintf(FERROR, "invalid token number in compressed stream\n");
+					exit_cleanup(RERR_PROTOCOL);
+				}
+			}
 			if (flag & 1) {
 				rx_run = read_byte(f);
 				rx_run += read_byte(f) << 8;