[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #19357 [Core Tor/Tor]: keypin_load_journal_impl() might break if journal file contains NUL
#19357: keypin_load_journal_impl() might break if journal file contains NUL
------------------------------+--------------------------------
Reporter: andrea | Owner:
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor | Version: Tor: unspecified
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+--------------------------------
The journal file reader loop in src/or/keypin.c only uses end of file or
'\n' to find the end of a line, so if a line contains a NUL we may end up
passing a string with one in the middle to other things:
{{{
367 STATIC int
368 keypin_load_journal_impl(const char *data, size_t size,
369 keypin_journal_pruner_t *pruner)
370 {
371 const char *start = data, *end = data + size, *next;
372
373 int n_corrupt_lines = 0;
374 int n_entries = 0;
375 int n_duplicates = 0;
376 int n_conflicts = 0;
377
378 for (const char *cp = start; cp < end; cp = next) {
379 const char *eol = memchr(cp, '\n', end-cp);
380 const char *eos = eol ? eol : end;
381 const size_t len = eos - cp;
}}}
We should think about this more and make sure this is safe.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19357>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs