#19223: Potential heap corruption in do_getpass in routerkeys.c -------------------------------------------------+------------------------- Reporter: asn | Owner: Type: defect | Status: new Priority: Low | Milestone: Tor: | 0.2.??? Component: Core Tor/Tor | Version: Tor: | unspecified Severity: Normal | Resolution: Keywords: tor-bug-bounty, 028-backport, | Actual Points: isaremoved nickwants029 | Parent ID: | Points: 0.5 Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by nherring): Have a suggested fix, but don't know the model for adding tests, code review, submission, etc. Ptr to FAQ/instructions appreciated. {{{ $ git diff src/or/routerkeys.c diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index 060ffd8..d5e7051 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -48,8 +48,8 @@ do_getpass(const char *prompt, char *buf, size_t buflen, size_t p2len = strlen(prompt) + 1; if (p2len < sizeof(msg)) p2len = sizeof(msg); - prompt2 = tor_malloc(strlen(prompt)+1); - memset(prompt2, ' ', p2len); + prompt2 = tor_malloc(p2len); + memset(prompt2, ' ', p2len - sizeof(msg)); memcpy(prompt2 + p2len - sizeof(msg), msg, sizeof(msg)); buf2 = tor_malloc_zero(buflen); }}} -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19223#comment:4> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs