Pageviews

Wednesday, 4 July 2018

strncat() without bounds - TOR

Hi Internet,


While going through the code of TOR it was observed that `backtrace.c` file which is located at `/src/lib/err/backtrace.c` at line number #L267-L268 was using `strncat()` which can be easily misused.
strncat(version, " ", sizeof(version)-1);
strncat(version, tor_version, sizeof(version)-1);
Example: Incorrectly computing the correct maximum size to add.

But, tor-security team marked this bug has low, because use of `strncat()` is a defence in depth mechanism that doesn't provide as much security as it should. Apart from that it cannot be influenceable by an attacker and they don't have control over this file and the version string.

Still a quick commit (patch) was push directly to the master branch of TOR
#include 
 #include 
 #include 
+#include 
 
 #ifdef HAVE_CYGWIN_SIGNAL_H
 #include 
@@ -264,16 +265,12 @@ dump_stack_symbols_to_error_fds(void)
 int
 configure_backtrace_handler(const char *tor_version)
 {
-  char version[128];
-  strncpy(version, "Tor", sizeof(version)-1);
+  char version[128] = "Tor\0";
 
   if (tor_version) {
-    strncat(version, " ", sizeof(version)-1);
-    strncat(version, tor_version, sizeof(version)-1);
+    snprintf(version, sizeof(version), "Tor %s", tor_version);
   }
 
-  version[sizeof(version) - 1] = 0;
-
   return install_bt_handler(version);
 }
Perhaps the reason `strncat()` was used to avoid including stuff from lib/string, This was nothing such great but hope you like the read.

Regards
Dhiraj

No comments:

Post a Comment