[tor-dev] Fwd: [rt.torproject.org #14731] Off by one buffer overflow in tor stable

Pedro Ribeiro pedrib at gmail.com
Mon Oct 7 21:55:43 UTC 2013

---------- Forwarded message ----------
From: Colin Childs via RT <help at rt.torproject.org>
Date: 7 October 2013 14:25
Subject: [rt.torproject.org #14731] Off by one buffer overflow in tor stable
To: pedrib at gmail.com

On Mon Oct 07 12:13:21 2013, pedrib at gmail.com wrote:
> Hi,
> I think there is a small buffer overflow (off by one) in the current stable
> version of tor.
> The function in question is format_helper_exit_status, which returns a
> formatted hex string. It is in common/util.c, starting at line 3270.
> The function has a comment header that explains how it works. It
> specifically says it returns a string that is not null terminated, but
> instead terminates with a newline.
> The code checks periodically throughout the function whether it has written
> more bytes than it should. If it does, it errors out and writes a null
> character in the current character positions. This by itself can lead to a
> buffer overflow, but I believe the checks ensure that it almost never
> writes over the buffer size - except in one case.
> After it has finished everything, it then checks again if there are more
> than 0 bytes left in the buffer. If there are, it writes two characters - a
> newline and a null terminator (lines 3342 to 3347).
> The problem here is if the buffer only has one byte left, an off by one
> overflow occurs. These usually are very hard to exploit, but can be a
> security issue nonetheless.
> However given that I am not familiar with the tor codebase I might be
> wrong? I also did a quick security audit on the rest of the tor code and
> couldn't find anything else. I was inspire because of the recent events...
> Regards
> Pedro

Please send a copy of this email to our tor-dev mailing list at

Thank you!

Colin C.



Please find above a bug report with possible security implications. I
was a bit weary of sending to a public list at first, but I doubt the
bug above is exploitable.


More information about the tor-dev mailing list