off-by-one in buffer length check in format_helper_exit_status
{{{
I think there is a small buffer overflow (off by one) in the current stable version of tor.
The function in question is format_helper_exit_status, which returns a formatted hex string. It is in common/util.c, starting at line 3270. The function has a comment header that explains how it works. It specifically says it returns a string that is not null terminated, but instead terminates with a newline.
The code checks periodically throughout the function whether it has written more bytes than it should. If it does, it errors out and writes a null character in the current character positions. This by itself can lead to a buffer overflow, but I believe the checks ensure that it almost never writes over the buffer size - except in one case.
After it has finished everything, it then checks again if there are more than 0 bytes left in the buffer. If there are, it writes two characters - a newline and a null terminator (lines 3342 to 3347).
The problem here is if the buffer only has one byte left, an off by one overflow occurs. These usually are very hard to exploit, but can be a security issue nonetheless.
However given that I am not familiar with the tor codebase I might be wrong? I also did a quick security audit on the rest of the tor code and couldn't find anything else. I was inspire because of the recent events...