commit 34b1f1cc25aa2e0e80c1aa53c4aa007680bbab13 Author: David Goulet <dgoulet@ev0ke.net> Date: Sun Aug 21 11:11:21 2016 -0400 Fix memcpy buffer overrun in gethostbyaddr() Similar from the previous commit but heap memory was copied to a static stack buffer. This is not security critical but still we shouldn't make torsocks let store let's say a malicious payload on the stack. Reported-by: Guido Vranken <guidovranken@gmail.com> Signed-off-by: David Goulet <dgoulet@ev0ke.net> --- src/lib/gethostbyname.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/lib/gethostbyname.c b/src/lib/gethostbyname.c index d67cc8e..e43ed4a 100644 --- a/src/lib/gethostbyname.c +++ b/src/lib/gethostbyname.c @@ -191,7 +191,11 @@ LIBC_GETHOSTBYADDR_RET_TYPE tsocks_gethostbyaddr(LIBC_GETHOSTBYADDR_SIG) goto error; } } else { - memcpy(tsocks_he_name, hostname, sizeof(tsocks_he_name)); + /* The hostname value is a NUL terminated string. Having a bigger + * hostname here than what we return implies that SOCKS5 can resolve a + * bigger hostname than 256 bytes (255 + NUL byte). */ + assert(strlen(hostname) <= (sizeof(tsocks_he_name) + 1)); + strncpy(tsocks_he_name, hostname, sizeof(tsocks_he_name)); free(hostname); tsocks_he_addr_list[0] = (char *) addr; }