#19223: Potential heap corruption in do_getpass in routerkeys.c
-------------------------------------------------+-------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: Low | Milestone: Tor:
| 0.2.???
Component: Core Tor/Tor | Version: Tor:
| unspecified
Severity: Normal | Resolution:
Keywords: tor-bug-bounty, 028-backport, | Actual Points:
isaremoved nickwants029 |
Parent ID: | Points: 0.5
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by nherring):
Have a suggested fix, but don't know the model for adding tests, code
review, submission, etc. Ptr to FAQ/instructions appreciated.
{{{
$ git diff src/or/routerkeys.c
diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c
index 060ffd8..d5e7051 100644
--- a/src/or/routerkeys.c
+++ b/src/or/routerkeys.c
@@ -48,8 +48,8 @@ do_getpass(const char *prompt, char *buf, size_t buflen,
size_t p2len = strlen(prompt) + 1;
if (p2len < sizeof(msg))
p2len = sizeof(msg);
- prompt2 = tor_malloc(strlen(prompt)+1);
- memset(prompt2, ' ', p2len);
+ prompt2 = tor_malloc(p2len);
+ memset(prompt2, ' ', p2len - sizeof(msg));
memcpy(prompt2 + p2len - sizeof(msg), msg, sizeof(msg));
buf2 = tor_malloc_zero(buflen);
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19223#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
