Opened 10 years ago

Last modified 7 years ago

#1257 closed defect (Fixed)

signed_descriptor_get_body_impl doesn't guarantee null-terminated string

Reported by: Sebastian Owned by:
Priority: Low Milestone:
Component: Core Tor/Tor Version: 0.2.1.22
Severity: Keywords:
Cc: Sebastian, nickm, arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We're using strings returned from signed_descriptor_get_body_impl()
as if they were null-terminated in two places, but its documentation
states that this isn't guaranteed. The two places I found are:

in signed_desc_append_to_journal(), we call strlen on it

in routerlist_reparse_old(), we call router_parse_entry_from_string() on
it, and further down the chain we use strstr

A sidecomment by rieo from a while back made me look at this.

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (4)

comment:1 Changed 9 years ago by Sebastian

Fix in branch backports / bug1257 in my repo

comment:2 Changed 9 years ago by arma

Since the fix is in 0.2.1.25, I'm going to close.

comment:3 Changed 9 years ago by arma

flyspray2trac: bug closed.

comment:4 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.