tor-commits July 2019

tor-commits@lists.torproject.org

19 participants
1200 discussions

[tor/master] Prevent UB on signed overflow.
by dgoulet＠torproject.org 29 Jul '19

29 Jul '19

commit 17458a87d73f605fe6a4bb3c23cf2de135eec99c Author: Tobias Stoeckmann <tobias(a)stoeckmann.org> Date: Mon Jun 24 22:08:49 2019 +0200 Prevent UB on signed overflow. Overflowing a signed integer in C is an undefined behaviour. It is possible to trigger this undefined behaviour in tor_asprintf on Windows or systems lacking vasprintf. On these systems, eiter _vscprintf or vsnprintf is called to retrieve the required amount of bytes to hold the string. These functions can return INT_MAX. The easiest way to recreate this is the use of a specially crafted configuration file, e.g. containing the line: FirewallPorts AAAAA<in total 2147483610 As> This line triggers the needed tor_asprintf call which eventually leads to an INT_MAX return value from _vscprintf or vsnprintf. The needed byte for \0 is added to the result, triggering the overflow and therefore the undefined behaviour. Casting the value to size_t before addition fixes the behaviour. Signed-off-by: Tobias Stoeckmann <tobias(a)stoeckmann.org> --- src/lib/string/printf.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lib/string/printf.c b/src/lib/string/printf.c index 415d4ac4a..00659337e 100644 --- a/src/lib/string/printf.c +++ b/src/lib/string/printf.c @@ -117,8 +117,8 @@ tor_vasprintf(char **strp, const char *fmt, va_list args) *strp = NULL; return -1; } - strp_tmp = tor_malloc(len + 1); - r = _vsnprintf(strp_tmp, len+1, fmt, args); + strp_tmp = tor_malloc((size_t)len + 1); + r = _vsnprintf(strp_tmp, (size_t)len+1, fmt, args); if (r != len) { tor_free(strp_tmp); *strp = NULL; @@ -143,9 +143,9 @@ tor_vasprintf(char **strp, const char *fmt, va_list args) *strp = tor_strdup(buf); return len; } - strp_tmp = tor_malloc(len+1); + strp_tmp = tor_malloc((size_t)len+1); /* use of tor_vsnprintf() will ensure string is null terminated */ - r = tor_vsnprintf(strp_tmp, len+1, fmt, args); + r = tor_vsnprintf(strp_tmp, (size_t)len+1, fmt, args); if (r != len) { tor_free(strp_tmp); *strp = NULL;

1 0

[tor/master] Changes file for bug 31001
by dgoulet＠torproject.org 29 Jul '19

29 Jul '19

commit 8bbec36b3b2dadbd23c7b3ffe2bccb7291aee1f0 Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Jul 19 09:21:08 2019 -0400 Changes file for bug 31001 --- changes/ticket31001 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/changes/ticket31001 b/changes/ticket31001 new file mode 100644 index 000000000..2ce1cbdf3 --- /dev/null +++ b/changes/ticket31001 @@ -0,0 +1,6 @@ + o Minor bugfixes (compatibility, standards compliance): + - Fix a bug that would invoke undefined behavior on certain operating + systems when trying to asprintf() a string exactly INT_MAX bytes + long. We don't believe this is exploitable, but it's better + to fix it anyway. Fixes bug 31001; bugfix on 0.2.2.11-alpha. + Found and fixed by Tobias Stoeckmann.

1 0

[tor/maint-0.4.1] Prevent UB on signed overflow.
by dgoulet＠torproject.org 29 Jul '19

29 Jul '19

1 0

[tor/maint-0.4.1] Merge branch 'tor-github/pr/1179' into maint-0.4.1
by dgoulet＠torproject.org 29 Jul '19

29 Jul '19

commit 1d6054f75065214c55d17796cf1587692fbb5cea Merge: d8264ab62 8bbec36b3 Author: David Goulet <dgoulet(a)torproject.org> Date: Mon Jul 29 12:02:47 2019 -0400 Merge branch 'tor-github/pr/1179' into maint-0.4.1 changes/ticket31001 | 6 ++++++ src/lib/string/printf.c | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-)

1 0

[tor/master] Merge branch 'tor-github/pr/1179' into maint-0.4.1
by dgoulet＠torproject.org 29 Jul '19

29 Jul '19

1 0

[tor/release-0.4.1] Changes file for bug 31001
by dgoulet＠torproject.org 29 Jul '19

29 Jul '19

1 0

[tor/release-0.4.1] Prevent UB on signed overflow.
by dgoulet＠torproject.org 29 Jul '19

29 Jul '19

1 0

[tor/master] Merge branch 'maint-0.4.1'
by dgoulet＠torproject.org 29 Jul '19

29 Jul '19

commit 6dba86d7c92d25b5a6eedd0dbd75dc466dcaa43a Merge: 142612bd1 1d6054f75 Author: David Goulet <dgoulet(a)torproject.org> Date: Mon Jul 29 12:02:54 2019 -0400 Merge branch 'maint-0.4.1' changes/ticket31001 | 6 ++++++ src/lib/string/printf.c | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-)

1 0

[tor/release-0.4.1] Merge branch 'tor-github/pr/1179' into maint-0.4.1
by dgoulet＠torproject.org 29 Jul '19

29 Jul '19

1 0

[tor/release-0.4.1] Merge branch 'maint-0.4.1' into release-0.4.1
by dgoulet＠torproject.org 29 Jul '19

29 Jul '19

commit 3c8a7cb54c2b1bccdf1326d9d5b962bb61a02167 Merge: 99bc2ac5a 1d6054f75 Author: David Goulet <dgoulet(a)torproject.org> Date: Mon Jul 29 12:02:54 2019 -0400 Merge branch 'maint-0.4.1' into release-0.4.1 changes/ticket31001 | 6 ++++++ src/lib/string/printf.c | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-)

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-commits July 2019