[tor-commits] [tor/master] Fix non-triggerable heap corruption at do_getpass().
nickm at torproject.org
nickm at torproject.org
Tue Oct 11 12:54:32 UTC 2016
commit e59f0d4cb964387c5c653d3943ae4ecb9cab55b9
Author: George Kadianakis <desnacked at riseup.net>
Date: Mon Oct 10 12:03:39 2016 -0400
Fix non-triggerable heap corruption at do_getpass().
---
changes/bug19223 | 4 ++++
src/or/routerkeys.c | 4 ++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/changes/bug19223 b/changes/bug19223
new file mode 100644
index 0000000..e8ca6d4
--- /dev/null
+++ b/changes/bug19223
@@ -0,0 +1,4 @@
+ o Minor bugfixes (getpass):
+ - Defensively fix a non-triggerable heap corruption at do_getpass() tow
+ protect ourselves from mistakes in the future. Fixes bug #19223; bugfix
+ on 0.2.7.3-rc. Bug found by Guido Vranken, patch by nherring.
\ No newline at end of file
diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c
index 060ffd8..d5e7051 100644
--- a/src/or/routerkeys.c
+++ b/src/or/routerkeys.c
@@ -48,8 +48,8 @@ do_getpass(const char *prompt, char *buf, size_t buflen,
size_t p2len = strlen(prompt) + 1;
if (p2len < sizeof(msg))
p2len = sizeof(msg);
- prompt2 = tor_malloc(strlen(prompt)+1);
- memset(prompt2, ' ', p2len);
+ prompt2 = tor_malloc(p2len);
+ memset(prompt2, ' ', p2len - sizeof(msg));
memcpy(prompt2 + p2len - sizeof(msg), msg, sizeof(msg));
buf2 = tor_malloc_zero(buflen);
More information about the tor-commits
mailing list