Commit fdc5751c authored by Roger Dingledine's avatar Roger Dingledine
Browse files

bugfix: address that strcat vulnerability in circuit.c


svn:r1273
parent 5d41346b
......@@ -790,29 +790,28 @@ void circuit_about_to_close_connection(connection_t *conn) {
}
void circuit_log_path(int severity, circuit_t *circ) {
static char b[1024];
char buf[1024];
char *s = buf;
struct crypt_path_t *hop;
char *states[] = {"closed", "waiting for keys", "open"};
routerinfo_t *router;
assert(circ->cpath);
sprintf(b,"circ (length %d, exit %s): ",
snprintf(s, sizeof(buf)-1, "circ (length %d, exit %s): ",
circ->build_state->desired_path_len, circ->build_state->chosen_exit);
hop=circ->cpath;
do {
s = buf + strlen(buf);
router = router_get_by_addr_port(hop->addr,hop->port);
if(router) {
/* XXX strcat allows buffer overflow */
strcat(b,router->nickname);
strcat(b,"(");
strcat(b,states[hop->state]);
strcat(b,"),");
snprintf(s, sizeof(buf) - (s - buf), "%s(%s) ",
router->nickname, states[hop->state]);
} else {
strcat(b,"UNKNOWN,");
snprintf(s, sizeof(buf) - (s - buf), "UNKNOWN ");
}
hop=hop->next;
} while(hop!=circ->cpath);
log_fn(severity,"%s",b);
log_fn(severity,"%s",buf);
}
static void
......
......@@ -345,7 +345,7 @@ static void print_usage(void) {
);
}
int resolve_my_address(or_options_t *options) {
static int resolve_my_address(or_options_t *options) {
struct in_addr in;
struct hostent *rent;
char localhostname[256];
......@@ -377,7 +377,7 @@ int resolve_my_address(or_options_t *options) {
assert(rent->h_length == 4);
memcpy(&in.s_addr, rent->h_addr,rent->h_length);
if(is_internal_IP(in.s_addr)) {
log_fn(LOG_WARN,"Address '%s' resolves to '%s'. "
log_fn(LOG_WARN,"Address '%s' resolves to private IP '%s'. "
"Please set the Address config option to be your public IP.",
options->Address, inet_ntoa(in));
return -1;
......
......@@ -341,7 +341,7 @@ list_running_servers(char **nicknames_out)
for (i = 0; i<n; ++i) {
if (i)
strcat(cp, " ");
strcat(cp, nickname_lst[i]);
strcat(cp, nickname_lst[i]); /* can't overflow */
while (*cp)
++cp;
}
......
......@@ -1064,7 +1064,7 @@ router_add_exit_policy(routerinfo_t *router, directory_token_t *tok) {
strcpy(newe->string, "accept ");
newe->policy_type = EXIT_POLICY_ACCEPT;
}
strcat(newe->string, arg);
strcat(newe->string, arg); /* can't overflow */
address = arg;
mask = strchr(arg,'/');
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment