[tor-bugs] #15202 [Tor]: Second argument to strlcpy must always be NUL-terminated.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 9 17:30:11 UTC 2015
#15202: Second argument to strlcpy must always be NUL-terminated.
-------------------------------------------------+-------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: critical | Milestone: Tor:
Component: Tor | 0.2.6.x-final
Keywords: 023-backport 024-backport | Version:
025-backport | Actual Points:
Parent ID: | Points:
-------------------------------------------------+-------------------------
Even though strlcpy and strlcat stop copying their inputs when further
bytes would fill up the output buffer, they keep reading the input string
until they find a terminating NUL. This means that if you pass strlcpy or
strlcat a non-NUL-terminated argument, they will keep reading off into the
heap, and potentially crash.
We do this in at least one place.
Found while investigating #15083. This can be remotely triggerable on
some systems, depending on the behavior of malloc(), and on whether buffer
freelists are turned on, and on the phase of the moon.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15202>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list