diff options
| author | Nick Mathewson <nickm@torproject.org> | 2013-10-10 10:55:24 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2013-10-10 10:55:24 -0400 |
| commit | 1137817319c7a9e4293e9901405d01e7b85da6ea (patch) | |
| tree | 2b4317b157c8aacdb2f828a34aeafd5db547a390 | |
| parent | 73a0bb16b9b750be9a51470ff57ee654787836d9 (diff) | |
| parent | 6eb7f2f889d9e047ea75bad15531d4aff4dbc711 (diff) | |
| download | tor-1137817319c7a9e4293e9901405d01e7b85da6ea.tar tor-1137817319c7a9e4293e9901405d01e7b85da6ea.tar.gz | |
Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4
| -rw-r--r-- | changes/bug9928 | 6 | ||||
| -rw-r--r-- | src/common/util.c | 10 |
2 files changed, 11 insertions, 5 deletions
diff --git a/changes/bug9928 b/changes/bug9928 new file mode 100644 index 000000000..b72cea3d8 --- /dev/null +++ b/changes/bug9928 @@ -0,0 +1,6 @@ + o Minor bugfixes: + - Avoid an off-by-one error when checking buffer boundaries when + formatting the exit status of a pluggable transport helper. + This is probably not an exploitable bug, but better safe than + sorry. Fixes bug 9928; bugfix on 0.2.3.18-rc. Bug found by + Pedro Ribeiro. diff --git a/src/common/util.c b/src/common/util.c index db160fdf0..36468d2d8 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -3374,10 +3374,10 @@ format_hex_number_for_helper_exit_status(unsigned int x, char *buf, * <b>hex_errno</b>. Called between fork and _exit, so must be signal-handler * safe. * - * <b>hex_errno</b> must have at least HEX_ERRNO_SIZE bytes available. + * <b>hex_errno</b> must have at least HEX_ERRNO_SIZE+1 bytes available. * * The format of <b>hex_errno</b> is: "CHILD_STATE/ERRNO\n", left-padded - * with spaces. Note that there is no trailing \0. CHILD_STATE indicates where + * with spaces. CHILD_STATE indicates where * in the processs of starting the child process did the failure occur (see * CHILD_STATE_* macros for definition), and SAVED_ERRNO is the value of * errno when the failure occurred. @@ -3456,8 +3456,8 @@ format_helper_exit_status(unsigned char child_state, int saved_errno, left -= written; cur += written; - /* Check that we have enough space left for a newline */ - if (left <= 0) + /* Check that we have enough space left for a newline and a NUL */ + if (left <= 1) goto err; /* Emit the newline and NUL */ @@ -3712,7 +3712,7 @@ tor_spawn_background(const char *const filename, const char **argv, this is used for printing out the error message */ unsigned char child_state = CHILD_STATE_INIT; - char hex_errno[HEX_ERRNO_SIZE]; + char hex_errno[HEX_ERRNO_SIZE + 1]; static int max_fd = -1; |