summaryrefslogtreecommitdiff
path: root/src/or
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2011-07-01 12:06:54 -0400
committerNick Mathewson <nickm@torproject.org>2011-07-01 12:54:24 -0400
commit959da6b7f2b5ed63426fd12a9046ac06033f6db1 (patch)
tree511cbbf99e04527081166fbb53a319b997f1bcc1 /src/or
parent46297bc7bd86826fa79195f36059ce408ef45b6c (diff)
downloadtor-959da6b7f2b5ed63426fd12a9046ac06033f6db1.tar.gz
tor-959da6b7f2b5ed63426fd12a9046ac06033f6db1.zip
Use strlcpy in create_unix_sockaddr()
Using strncpy meant that if listenaddress were ever >= sizeof(sockaddr_un.sun_path), we would fail to nul-terminate sun_path. This isn't a big deal: we never read sun_path, and the kernel is smart enough to reject the sockaddr_un if it isn't nul-terminated. Nonetheless, it's a dumb failure mode. Instead, we should reject addresses that don't fit in sockaddr_un.sun_path. Coverity found this; it's CID 428. Bugfix on 0.2.0.3-alpha.
Diffstat (limited to 'src/or')
-rw-r--r--src/or/connection.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/src/or/connection.c b/src/or/connection.c
index 4869a2439a..2897fe10a1 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -804,7 +804,13 @@ create_unix_sockaddr(const char *listenaddress, char **readable_address,
sockaddr = tor_malloc_zero(sizeof(struct sockaddr_un));
sockaddr->sun_family = AF_UNIX;
- strncpy(sockaddr->sun_path, listenaddress, sizeof(sockaddr->sun_path));
+ if (strlcpy(sockaddr->sun_path, listenaddress, sizeof(sockaddr->sun_path))
+ >= sizeof(sockaddr->sun_path)) {
+ log_warn(LD_CONFIG, "Unix socket path '%s' is too long to fit.",
+ escaped(listenaddress));
+ tor_free(sockaddr);
+ return NULL;
+ }
if (readable_address)
*readable_address = tor_strdup(listenaddress);