Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

bugfix: address that strcat vulnerability in circuit.c

svn:r1273
Roger Dingledine 21 years ago
parent
5d41346b67
commit
fdc5751c60
4 changed files with 12 additions and 13 deletions
Split View Show Diff Stats
  1. 8 9
      src/or/circuit.c
  2. 2 2
      src/or/config.c
  3. 1 1
      src/or/dirserv.c
  4. 1 1
      src/or/routerlist.c

+ 8 - 9
src/or/circuit.c
View File 

@@ -790,29 +790,28 @@ void circuit_about_to_close_connection(connection_t *conn) {
 
 }
 
 
 void circuit_log_path(int severity, circuit_t *circ) {
 
-  static char b[1024];
 
+  char buf[1024];
 
+  char *s = buf;
 
   struct crypt_path_t *hop;
 
   char *states[] = {"closed", "waiting for keys", "open"};
 
   routerinfo_t *router;
 
   assert(circ->cpath);
 
 
-  sprintf(b,"circ (length %d, exit %s): ",
 
+  snprintf(s, sizeof(buf)-1, "circ (length %d, exit %s): ",
 
           circ->build_state->desired_path_len, circ->build_state->chosen_exit);
 
   hop=circ->cpath;
 
   do {
 
+    s = buf + strlen(buf);
 
     router = router_get_by_addr_port(hop->addr,hop->port);
 
     if(router) {
 
-      /* XXX strcat allows buffer overflow */
 
-      strcat(b,router->nickname);
 
-      strcat(b,"(");
 
-      strcat(b,states[hop->state]);
 
-      strcat(b,"),");
 
+      snprintf(s, sizeof(buf) - (s - buf), "%s(%s) ",
 
+               router->nickname, states[hop->state]);
 
     } else {
 
-      strcat(b,"UNKNOWN,");
 
+      snprintf(s, sizeof(buf) - (s - buf), "UNKNOWN ");
 
     }
 
     hop=hop->next;
 
   } while(hop!=circ->cpath);
 
-  log_fn(severity,"%s",b);
 
+  log_fn(severity,"%s",buf);
 
 }
 
 
 static void

+ 2 - 2
src/or/config.c
View File 

@@ -345,7 +345,7 @@ static void print_usage(void) {
 
          );
 
 }
 
 
-int resolve_my_address(or_options_t *options) {
 
+static int resolve_my_address(or_options_t *options) {
 
   struct in_addr in;
 
   struct hostent *rent;
 
   char localhostname[256];
 
@@ -377,7 +377,7 @@ int resolve_my_address(or_options_t *options) {
 
   assert(rent->h_length == 4);
 
   memcpy(&in.s_addr, rent->h_addr,rent->h_length);
 
   if(is_internal_IP(in.s_addr)) {
 
-    log_fn(LOG_WARN,"Address '%s' resolves to '%s'. "
 
+    log_fn(LOG_WARN,"Address '%s' resolves to private IP '%s'. "
 
            "Please set the Address config option to be your public IP.",
 
            options->Address, inet_ntoa(in));
 
     return -1;

+ 1 - 1
src/or/dirserv.c
View File 

@@ -341,7 +341,7 @@ list_running_servers(char **nicknames_out)
 
   for (i = 0; i<n; ++i) {
 
     if (i)
 
       strcat(cp, " ");
 
-    strcat(cp, nickname_lst[i]);
 
+    strcat(cp, nickname_lst[i]); /* can't overflow */
 
     while (*cp)
 
       ++cp;
 
   }

+ 1 - 1
src/or/routerlist.c
View File 

@@ -1064,7 +1064,7 @@ router_add_exit_policy(routerinfo_t *router, directory_token_t *tok) {
 
     strcpy(newe->string, "accept ");
 
     newe->policy_type = EXIT_POLICY_ACCEPT;
 
   }
 
-  strcat(newe->string, arg);
 
+  strcat(newe->string, arg); /* can't overflow */
 
 
   address = arg;
 
   mask = strchr(arg,'/');