Fix non-triggerable heap corruption at do_getpass().

e59f0d4c · George Kadianakis · 68450051 · e59f0d4c · e59f0d4c
Commit e59f0d4c authored Oct 10, 2016 by George Kadianakis
--- a/changes/bug19223
+++ b/changes/bug19223
+  o Minor bugfixes (getpass):
+    - Defensively fix a non-triggerable heap corruption at do_getpass() tow
+      protect ourselves from mistakes in the future. Fixes bug #19223; bugfix
+      on 0.2.7.3-rc. Bug found by Guido Vranken, patch by nherring.
\ No newline at end of file
--- a/src/or/routerkeys.c
+++ b/src/or/routerkeys.c
@@ -48,8 +48,8 @@ do_getpass(const char *prompt, char *buf, size_t buflen,
    size_t p2len = strlen(prompt) + 1;
    if (p2len < sizeof(msg))
      p2len = sizeof(msg);
-    prompt2 = tor_malloc(strlen(prompt)+1);
-    memset(prompt2, ' ', p2len);
+    prompt2 = tor_malloc(p2len);
+    memset(prompt2, ' ', p2len - sizeof(msg));
    memcpy(prompt2 + p2len - sizeof(msg), msg, sizeof(msg));

    buf2 = tor_malloc_zero(buflen);