[tor-bugs] #19357 [Core Tor/Tor]: keypin_load_journal_impl() might break if journal file contains NUL
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jun 8 18:44:13 UTC 2016
#19357: keypin_load_journal_impl() might break if journal file contains NUL
------------------------------+--------------------------------
Reporter: andrea | Owner:
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor | Version: Tor: unspecified
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+--------------------------------
The journal file reader loop in src/or/keypin.c only uses end of file or
'\n' to find the end of a line, so if a line contains a NUL we may end up
passing a string with one in the middle to other things:
{{{
367 STATIC int
368 keypin_load_journal_impl(const char *data, size_t size,
369 keypin_journal_pruner_t *pruner)
370 {
371 const char *start = data, *end = data + size, *next;
372
373 int n_corrupt_lines = 0;
374 int n_entries = 0;
375 int n_duplicates = 0;
376 int n_conflicts = 0;
377
378 for (const char *cp = start; cp < end; cp = next) {
379 const char *eol = memchr(cp, '\n', end-cp);
380 const char *eos = eol ? eol : end;
381 const size_t len = eos - cp;
}}}
We should think about this more and make sure this is safe.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19357>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list