Merge branch 'maint-0.3.4'

author: Nick Mathewson <nickm@torproject.org> 2018-09-07 08:45:10 -0400
committer: Nick Mathewson <nickm@torproject.org> 2018-09-07 08:45:10 -0400
commit: 7e91eb83d84b2fd3992c3c4bba49ffd0acb5db08 (patch)
tree: 503209e430a13376a1558bead88cb267975cf57b /src/feature/rend
parent: 22e24031452d57852e83738bacfff012439f0258 (diff)
parent: a4930de5e96b83295478386cd15c8a7a3e8c0ef8 (diff)
download: tor-7e91eb83d84b2fd3992c3c4bba49ffd0acb5db08.tar.gz
tor-7e91eb83d84b2fd3992c3c4bba49ffd0acb5db08.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/src/feature/rend/rendclient.c b/src/feature/rend/rendclient.c
index 2c4cec65b1..0efeb3b77c 100644
--- a/src/feature/rend/rendclient.c
+++ b/src/feature/rend/rendclient.c
@@ -252,6 +252,15 @@ rend_client_send_introduction(origin_circuit_t *introcirc,
     dh_offset = v3_shift+7+DIGEST_LEN+2+klen+REND_COOKIE_LEN;
   } else {
     /* Version 0. */
+
+    /* Some compilers are smart enough to work out that nickname can be more
+     * than 19 characters, when it's a hexdigest. They warn that strncpy()
+     * will truncate hexdigests without NUL-terminating them. But we only put
+     * hexdigests in HSDir and general circuit exits. */
+    if (BUG(strlen(rendcirc->build_state->chosen_exit->nickname)
+            > MAX_NICKNAME_LEN)) {
+      goto perm_err;
+    }
     strncpy(tmp, rendcirc->build_state->chosen_exit->nickname,
             (MAX_NICKNAME_LEN+1)); /* nul pads */
     memcpy(tmp+MAX_NICKNAME_LEN+1, rendcirc->rend_data->rend_cookie,
author	Nick Mathewson <nickm@torproject.org>	2018-09-07 08:45:10 -0400
committer	Nick Mathewson <nickm@torproject.org>	2018-09-07 08:45:10 -0400
commit	7e91eb83d84b2fd3992c3c4bba49ffd0acb5db08 (patch)
tree	503209e430a13376a1558bead88cb267975cf57b /src/feature/rend
parent	22e24031452d57852e83738bacfff012439f0258 (diff)
parent	a4930de5e96b83295478386cd15c8a7a3e8c0ef8 (diff)
download	tor-7e91eb83d84b2fd3992c3c4bba49ffd0acb5db08.tar.gz tor-7e91eb83d84b2fd3992c3c4bba49ffd0acb5db08.zip