[tor-bugs] #4413 [Tor Relay]: Non-triggerable integer overflow in crypto_random_hostname()

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed Dec 21 18:07:50 UTC 2011


#4413: Non-triggerable integer overflow in crypto_random_hostname()
-----------------------+----------------------------------------------------
 Reporter:  asn        |          Owner:                  
     Type:  defect     |         Status:  needs_review    
 Priority:  minor      |      Milestone:  Tor: unspecified
Component:  Tor Relay  |        Version:                  
 Keywords:  easy       |         Parent:                  
   Points:             |   Actualpoints:                  
-----------------------+----------------------------------------------------

Comment(by nickm):

 You're relying on crypto_rand_int returning the same thing in the check as
 it did in the assignment to randlen.

 Also, you're making the error behavior be "return (char*)INT_MAX;"  I'm
 not sure that makes a lot of sense: NULL is the usual way to indicate an
 error on returning a pointer.

 And even if this patch worked, it wouldn't solve the actual issue noted
 above, where the overflow happens in the rand_bytes_len calculation.

 What's wrong with the fix I suggested above?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4413#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list