Raise buffer size, fix checks for format_exit_helper_status.

This is probably not an exploitable bug, since you would need to have
errno be a large negative value in the unix pluggable-transport launcher
case.  Still, best avoided.

Fixes bug 9928; bugfix on 0.2.3.18-rc.

changes/bug9928

@@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Avoid an off-by-one error when checking buffer boundaries when
+      formatting the exit status of a pluggable transport helper.
+      This is probably not an exploitable bug, but better safe than
+      sorry. Fixes bug 9928; bugfix on 0.2.3.18-rc.

src/common/util.c

@@ -3256,10 +3256,10 @@ format_hex_number_for_helper_exit_status(unsigned int x, char *buf,
  * <b>hex_errno</b>.  Called between fork and _exit, so must be signal-handler
  * safe.
  *
- * <b>hex_errno</b> must have at least HEX_ERRNO_SIZE bytes available.
+ * <b>hex_errno</b> must have at least HEX_ERRNO_SIZE+1 bytes available.
  *
  * The format of <b>hex_errno</b> is: "CHILD_STATE/ERRNO\n", left-padded
- * with spaces. Note that there is no trailing \0. CHILD_STATE indicates where
+ * with spaces. CHILD_STATE indicates where
  * in the processs of starting the child process did the failure occur (see
  * CHILD_STATE_* macros for definition), and SAVED_ERRNO is the value of
  * errno when the failure occurred.
@@ -3338,8 +3338,8 @@ format_helper_exit_status(unsigned char child_state, int saved_errno,
   left -= written;
   cur += written;
 
-  /* Check that we have enough space left for a newline */
-  if (left <= 0)
+  /* Check that we have enough space left for a newline and a NUL */
+  if (left <= 1)
     goto err;
 
   /* Emit the newline and NUL */
@@ -3594,7 +3594,7 @@ tor_spawn_background(const char *const filename, const char **argv,
      this is used for printing out the error message */
   unsigned char child_state = CHILD_STATE_INIT;
 
-  char hex_errno[HEX_ERRNO_SIZE];
+  char hex_errno[HEX_ERRNO_SIZE + 1];
 
   static int max_fd = -1;