[tor-bugs] #26522 [Core Tor/Tor]: strncat() without bounds

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jun 27 09:37:08 UTC 2018


#26522: strncat() without bounds
------------------------------+------------------------------
     Reporter:  Dhiraj        |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:
    Component:  Core Tor/Tor  |    Version:  Tor: unspecified
     Severity:  Major         |   Keywords:
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+------------------------------
 Hi Team,

 https://github.com/torproject/tor/blob/master/src/lib/err/backtrace.c#L267-L268

 i.e

 strncat(version, " ", sizeof(version)-1);
 strncat(version, tor_version, sizeof(version)-1);


 Easily used incorrectly (e.g., incorrectly computing the correct maximum
 size to add) such as (CWE-120).

 Consider strcat_s, strlcat, snprintf, or automatically resizing strings. I
 feel the risk is high because the length parameter appears to be a
 constant, instead of computing the number of characters left.


 Request team to please have a look and validate.



 Regards
 Dhiraj

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26522>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list