Second argument to strlcpy must always be NUL-terminated.
|Reported by:||nickm||Owned by:|
|Priority:||Very High||Milestone:||Tor: 0.2.6.x-final|
|Severity:||Keywords:||023-backport, 024-backport, 025-backport, 2016-bug-retrospective|
Even though strlcpy and strlcat stop copying their inputs when further bytes would fill up the output buffer, they keep reading the input string until they find a terminating NUL. This means that if you pass strlcpy or strlcat a non-NUL-terminated argument, they will keep reading off into the heap, and potentially crash.
We do this in at least one place.
Found while investigating #15083. This can be remotely triggerable on some systems, depending on the behavior of malloc(), and on whether buffer freelists are turned on, and on the phase of the moon.
Change History (7)
comment:5 Changed 2 years ago by nickm
- Resolution set to invalid
- Status changed from needs_review to closed