#19357: keypin_load_journal_impl() might break if journal file contains NUL ------------------------------+-------------------------------- Reporter: andrea | Owner: Type: defect | Status: new Priority: Medium | Milestone: Tor: 0.2.9.x-final Component: Core Tor/Tor | Version: Tor: unspecified Severity: Normal | Keywords: Actual Points: | Parent ID: Points: | Reviewer: Sponsor: | ------------------------------+-------------------------------- The journal file reader loop in src/or/keypin.c only uses end of file or '\n' to find the end of a line, so if a line contains a NUL we may end up passing a string with one in the middle to other things:
{{{ 367 STATIC int 368 keypin_load_journal_impl(const char *data, size_t size, 369 keypin_journal_pruner_t *pruner) 370 { 371 const char *start = data, *end = data + size, *next; 372 373 int n_corrupt_lines = 0; 374 int n_entries = 0; 375 int n_duplicates = 0; 376 int n_conflicts = 0; 377 378 for (const char *cp = start; cp < end; cp = next) { 379 const char *eol = memchr(cp, '\n', end-cp); 380 const char *eos = eol ? eol : end; 381 const size_t len = eos - cp; }}} We should think about this more and make sure this is safe. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19357> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs