[tor-commits] [torsocks/master] Fix memcpy buffer overrun in gethostbyaddr()

dgoulet at torproject.org dgoulet at torproject.org
Sun Aug 21 15:15:40 UTC 2016


commit 34b1f1cc25aa2e0e80c1aa53c4aa007680bbab13
Author: David Goulet <dgoulet at ev0ke.net>
Date:   Sun Aug 21 11:11:21 2016 -0400

    Fix memcpy buffer overrun in gethostbyaddr()
    
    Similar from the previous commit but heap memory was copied to a static stack
    buffer. This is not security critical but still we shouldn't make torsocks let
    store let's say a malicious payload on the stack.
    
    Reported-by: Guido Vranken <guidovranken at gmail.com>
    Signed-off-by: David Goulet <dgoulet at ev0ke.net>
---
 src/lib/gethostbyname.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/lib/gethostbyname.c b/src/lib/gethostbyname.c
index d67cc8e..e43ed4a 100644
--- a/src/lib/gethostbyname.c
+++ b/src/lib/gethostbyname.c
@@ -191,7 +191,11 @@ LIBC_GETHOSTBYADDR_RET_TYPE tsocks_gethostbyaddr(LIBC_GETHOSTBYADDR_SIG)
 			goto error;
 		}
 	} else {
-		memcpy(tsocks_he_name, hostname, sizeof(tsocks_he_name));
+		/* The hostname value is a NUL terminated string. Having a bigger
+		 * hostname here than what we return implies that SOCKS5 can resolve a
+		 * bigger hostname than 256 bytes (255 + NUL byte). */
+		assert(strlen(hostname) <= (sizeof(tsocks_he_name) + 1));
+		strncpy(tsocks_he_name, hostname, sizeof(tsocks_he_name));
 		free(hostname);
 		tsocks_he_addr_list[0] = (char *) addr;
 	}



More information about the tor-commits mailing list