[tor-bugs] #26522 [Core Tor/Tor]: strncat() without bounds
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jun 27 09:37:08 UTC 2018
#26522: strncat() without bounds
------------------------------+------------------------------
Reporter: Dhiraj | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor/Tor | Version: Tor: unspecified
Severity: Major | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+------------------------------
Hi Team,
https://github.com/torproject/tor/blob/master/src/lib/err/backtrace.c#L267-L268
i.e
strncat(version, " ", sizeof(version)-1);
strncat(version, tor_version, sizeof(version)-1);
Easily used incorrectly (e.g., incorrectly computing the correct maximum
size to add) such as (CWE-120).
Consider strcat_s, strlcat, snprintf, or automatically resizing strings. I
feel the risk is high because the length parameter appears to be a
constant, instead of computing the number of characters left.
Request team to please have a look and validate.
Regards
Dhiraj
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26522>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list