[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [torsocks/master] Fix memcpy buffer overrun in gethostbyaddr()
commit 34b1f1cc25aa2e0e80c1aa53c4aa007680bbab13
Author: David Goulet <dgoulet@xxxxxxxxx>
Date: Sun Aug 21 11:11:21 2016 -0400
Fix memcpy buffer overrun in gethostbyaddr()
Similar from the previous commit but heap memory was copied to a static stack
buffer. This is not security critical but still we shouldn't make torsocks let
store let's say a malicious payload on the stack.
Reported-by: Guido Vranken <guidovranken@xxxxxxxxx>
Signed-off-by: David Goulet <dgoulet@xxxxxxxxx>
---
src/lib/gethostbyname.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/lib/gethostbyname.c b/src/lib/gethostbyname.c
index d67cc8e..e43ed4a 100644
--- a/src/lib/gethostbyname.c
+++ b/src/lib/gethostbyname.c
@@ -191,7 +191,11 @@ LIBC_GETHOSTBYADDR_RET_TYPE tsocks_gethostbyaddr(LIBC_GETHOSTBYADDR_SIG)
goto error;
}
} else {
- memcpy(tsocks_he_name, hostname, sizeof(tsocks_he_name));
+ /* The hostname value is a NUL terminated string. Having a bigger
+ * hostname here than what we return implies that SOCKS5 can resolve a
+ * bigger hostname than 256 bytes (255 + NUL byte). */
+ assert(strlen(hostname) <= (sizeof(tsocks_he_name) + 1));
+ strncpy(tsocks_he_name, hostname, sizeof(tsocks_he_name));
free(hostname);
tsocks_he_addr_list[0] = (char *) addr;
}
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits