[tor-bugs] #3683 [Tor Client]: Stream-isolation code does not handle NULs in SOCKS auth fields properly
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Aug 5 08:20:44 UTC 2011
#3683: Stream-isolation code does not handle NULs in SOCKS auth fields properly
------------------------+---------------------------------------------------
Reporter: rransom | Owner: nickm
Type: defect | Status: needs_review
Priority: normal | Milestone: Tor: 0.2.3.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by rransom):
Replying to [comment:2 rransom]:
> Replying to [comment:1 nickm]:
> > Possible fix in branch bug3683 in my public repository.
Some other pieces of Tor act as if an `edge_connection_t` might have
`socks_request` set to `NULL` (or at least assert that it isn't). Your
bug3683 branch doesn't.
Other than that, and the other issues I noted above, looks good.
> > Also, I think that the use of uint8_t for
usernamelen/socks_username_len might be wrong; socks4 authenticators are
NUL-terminated IIRC, not length-extent?
>
> Yes. Fortunately, the integer overflow that produced in `parse_socks`
seems to be relatively harmless.
Er, no. It would be very bad if someone used SOCKS4A with partially
attacker-controlled authorization strings in the presence of that bug.
That integer overflow seems to not lead to memory corruption within Tor,
though.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3683#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list