#26522: strncat() without bounds
----------------------------------------+----------------------------------
Reporter: Dhiraj | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: unspecified
Component: Core Tor/Tor | Version:
Severity: Major | Resolution:
Keywords: security-low, 035-proposed | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------+----------------------------------
Changes (by teor):
* keywords: => security-low, 035-proposed
* version: Tor: unspecified =>
* milestone: => Tor: unspecified
Comment:
Marking as "security-low" in 0.3.5, because our use of strncat() is a
defence in depth mechanism that doesn't provide as much security as it
should:
https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy
We should review all uses of strncat() to make sure we always pass the
*remaining*string length.
(And all uses of strlcat() to make sure we check the return value.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26522#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
