diff options
| author | Nick Mathewson <nickm@torproject.org> | 2013-10-10 10:53:27 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2013-10-10 10:53:27 -0400 |
| commit | 6eb7f2f889d9e047ea75bad15531d4aff4dbc711 (patch) | |
| tree | a33ee2ef32038c58e9cf0a2e99e3f3f339f3f4d6 | |
| parent | dece40fd7729934bc32906e94d3e5e746c01f970 (diff) | |
| parent | bfe56e05b08b940d432be9af824b969522eedc98 (diff) | |
| download | tor-6eb7f2f889d9e047ea75bad15531d4aff4dbc711.tar.gz tor-6eb7f2f889d9e047ea75bad15531d4aff4dbc711.zip | |
Merge remote-tracking branch 'public/bug9928' into maint-0.2.3
| -rw-r--r-- | changes/bug9928 | 6 | ||||
| -rw-r--r-- | src/common/util.c | 10 |
2 files changed, 11 insertions, 5 deletions
diff --git a/changes/bug9928 b/changes/bug9928 new file mode 100644 index 0000000000..b72cea3d87 --- /dev/null +++ b/changes/bug9928 @@ -0,0 +1,6 @@ + o Minor bugfixes: + - Avoid an off-by-one error when checking buffer boundaries when + formatting the exit status of a pluggable transport helper. + This is probably not an exploitable bug, but better safe than + sorry. Fixes bug 9928; bugfix on 0.2.3.18-rc. Bug found by + Pedro Ribeiro. diff --git a/src/common/util.c b/src/common/util.c index 6fb597a3a5..5b0dbcd07e 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -3256,10 +3256,10 @@ format_hex_number_for_helper_exit_status(unsigned int x, char *buf, * <b>hex_errno</b>. Called between fork and _exit, so must be signal-handler * safe. * - * <b>hex_errno</b> must have at least HEX_ERRNO_SIZE bytes available. + * <b>hex_errno</b> must have at least HEX_ERRNO_SIZE+1 bytes available. * * The format of <b>hex_errno</b> is: "CHILD_STATE/ERRNO\n", left-padded - * with spaces. Note that there is no trailing \0. CHILD_STATE indicates where + * with spaces. CHILD_STATE indicates where * in the processs of starting the child process did the failure occur (see * CHILD_STATE_* macros for definition), and SAVED_ERRNO is the value of * errno when the failure occurred. @@ -3338,8 +3338,8 @@ format_helper_exit_status(unsigned char child_state, int saved_errno, left -= written; cur += written; - /* Check that we have enough space left for a newline */ - if (left <= 0) + /* Check that we have enough space left for a newline and a NUL */ + if (left <= 1) goto err; /* Emit the newline and NUL */ @@ -3594,7 +3594,7 @@ tor_spawn_background(const char *const filename, const char **argv, this is used for printing out the error message */ unsigned char child_state = CHILD_STATE_INIT; - char hex_errno[HEX_ERRNO_SIZE]; + char hex_errno[HEX_ERRNO_SIZE + 1]; static int max_fd = -1; |