Fix non-triggerable heap corruption at do_getpass().

author George Kadianakis <desnacked@riseup.net>

Mon, 10 Oct 2016 16:03:39 +0000 (12:03 -0400)

committer George Kadianakis <desnacked@riseup.net>

Mon, 10 Oct 2016 16:03:39 +0000 (12:03 -0400)
author George Kadianakis <desnacked@riseup.net>
Mon, 10 Oct 2016 16:03:39 +0000 (12:03 -0400)
committer George Kadianakis <desnacked@riseup.net>
Mon, 10 Oct 2016 16:03:39 +0000 (12:03 -0400)
diff --git a/changes/bug19223 b/changes/bug19223

new file mode 100644 (file)

index 0000000..e8ca6d4
--- /dev/null
+++ b/changes/bug19223
@@ -0,0 +1,4 @@
+  o Minor bugfixes (getpass):
+    - Defensively fix a non-triggerable heap corruption at do_getpass() tow
+      protect ourselves from mistakes in the future. Fixes bug #19223; bugfix
+      on 0.2.7.3-rc. Bug found by Guido Vranken, patch by nherring.
+\ No newline at end of file
diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c

index 060ffd8753fdfdae6bde3e4654cee508a3327ca0..d5e7051296734eb43e4f8c9561fecf912a95c7e5 100644 (file)
--- a/src/or/routerkeys.c
+++ b/src/or/routerkeys.c
@@ -48,8 +48,8 @@ do_getpass(const char *prompt, char *buf, size_t buflen,
      size_t p2len = strlen(prompt) + 1;
      if (p2len < sizeof(msg))
        p2len = sizeof(msg);
-    prompt2 = tor_malloc(strlen(prompt)+1);
-    memset(prompt2, ' ', p2len);
+    prompt2 = tor_malloc(p2len);
+    memset(prompt2, ' ', p2len - sizeof(msg));
      memcpy(prompt2 + p2len - sizeof(msg), msg, sizeof(msg));
  
      buf2 = tor_malloc_zero(buflen);
author	George Kadianakis <desnacked@riseup.net>
	Mon, 10 Oct 2016 16:03:39 +0000 (12:03 -0400)
committer	George Kadianakis <desnacked@riseup.net>
	Mon, 10 Oct 2016 16:03:39 +0000 (12:03 -0400)
changes/bug19223	[new file with mode: 0644]	patch \| blob
src/or/routerkeys.c		patch \| blob \| blame \| history