diff options
author | George Kadianakis <desnacked@riseup.net> | 2016-10-10 12:03:39 -0400 |
---|---|---|
committer | George Kadianakis <desnacked@riseup.net> | 2016-10-10 12:03:39 -0400 |
commit | e59f0d4cb964387c5c653d3943ae4ecb9cab55b9 (patch) | |
tree | ea77ddbe7b8160d752557316f963b7a3236b1368 | |
parent | 684500519d5060fcbcc410a0e71d8d9a32fa8220 (diff) | |
download | tor-e59f0d4cb964387c5c653d3943ae4ecb9cab55b9.tar.gz tor-e59f0d4cb964387c5c653d3943ae4ecb9cab55b9.zip |
Fix non-triggerable heap corruption at do_getpass().
-rw-r--r-- | changes/bug19223 | 4 | ||||
-rw-r--r-- | src/or/routerkeys.c | 4 |
2 files changed, 6 insertions, 2 deletions
diff --git a/changes/bug19223 b/changes/bug19223 new file mode 100644 index 0000000000..e8ca6d4ec7 --- /dev/null +++ b/changes/bug19223 @@ -0,0 +1,4 @@ + o Minor bugfixes (getpass): + - Defensively fix a non-triggerable heap corruption at do_getpass() tow + protect ourselves from mistakes in the future. Fixes bug #19223; bugfix + on 0.2.7.3-rc. Bug found by Guido Vranken, patch by nherring.
\ No newline at end of file diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index 060ffd8753..d5e7051296 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -48,8 +48,8 @@ do_getpass(const char *prompt, char *buf, size_t buflen, size_t p2len = strlen(prompt) + 1; if (p2len < sizeof(msg)) p2len = sizeof(msg); - prompt2 = tor_malloc(strlen(prompt)+1); - memset(prompt2, ' ', p2len); + prompt2 = tor_malloc(p2len); + memset(prompt2, ' ', p2len - sizeof(msg)); memcpy(prompt2 + p2len - sizeof(msg), msg, sizeof(msg)); buf2 = tor_malloc_zero(buflen); |