[tor-bugs] #31545 [Core Tor/Tor]: CID 1452819: nul-terminated string handling, possibly spurious
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Aug 28 06:24:38 UTC 2019
#31545: CID 1452819: nul-terminated string handling, possibly spurious
-------------------------+-------------------------------------------------
Reporter: teor | Owner: teor
Type: defect | Status: assigned
Priority: Medium | Milestone: Tor: 0.4.2.x-final
Component: Core | Version: Tor: unspecified
Tor/Tor | Keywords: 042-must, memory-safety?, easy,
Severity: Normal | intro, ipv6, logging, fast-fix
Actual Points: | Parent ID:
Points: 0.1 | Reviewer:
Sponsor: |
Sponsor27-must |
-------------------------+-------------------------------------------------
Bug introduced by #21003, copying sponsors and tags.
{{{
/src/feature/nodelist/describe.c: 77 in format_node_description()
71 }
72 if (addr32h && has_addr) {
73 memcpy(cp, " and ", 5);
74 cp += 5;
75 }
76 if (has_addr) {
CID 1452819: (STRING_NULL)
Passing unterminated string "cp" to "tor_addr_to_str", which expects a
null-terminated string.
77 tor_addr_to_str(cp, addr, TOR_ADDR_BUF_LEN, 1);
78 }
79
80 return buf;
81 }
82
/src/feature/nodelist/describe.c: 70 in format_node_description()
64 cp += 4;
65 }
66 if (addr32h) {
67 struct in_addr in;
68 in.s_addr = htonl(addr32h);
69 tor_inet_ntoa(&in, cp, INET_NTOA_BUF_LEN);
CID 1452819: (STRING_NULL)
Passing unterminated string "cp" to "strlen", which expects a null-
terminated string.
70 cp += strlen(cp);
71 }
72 if (addr32h && has_addr) {
73 memcpy(cp, " and ", 5);
74 cp += 5;
75 }
}}}
I think the best fix for this issue is using strncpy() rather than
memcpy().
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31545>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list