Opened 5 years ago

Last modified 3 years ago

#18276 new defect

directory_send_command doesn't check string operation return values

Reported by: teor Owned by:
Priority: Low Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Minor Keywords: tor-client memory-safety
Cc: Actual Points:
Parent ID: Points: low
Reviewer: Sponsor:


When reviewing directory_send_command() in #18051, I noticed:

We are not checking the return values of tor_snprintf and strlcpy, I wonder if we should do that.

I wonder if the buffers are large enough:

  • the maximum length of a DNS name is 254 characters, but the buffers are 128 characters
    • the maximum length of an IPv6 address is 48 characters (see TOR_ADDR_BUF_LEN)
    • the maximum length of an IPv4 address is 15 characters
  • the :port adds another 6 characters
  • the http:// adds another 7 characters

Child Tickets

Change History (7)

comment:1 Changed 5 years ago by nickm

tor_asprintf() would solve a lot of these problems.

comment:2 Changed 4 years ago by isabela

Keywords: isaremoved added
Milestone: Tor: 0.2.9.x-finalTor: 0.2.???

comment:3 Changed 4 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:4 Changed 4 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:5 Changed 3 years ago by nickm

Keywords: easy isaremoved tor-03-unspecified-201612 removed
Parent ID: #22342

Best solved IMO as part of adding a more general mechanism; see parent

comment:6 Changed 3 years ago by nickm

Keywords: tor-client memory-safety added

comment:7 Changed 3 years ago by nickm

Parent ID: #22342
Note: See TracTickets for help on using tickets.