[tor-bugs] #2320 [Tor Client]: var_cell_t with payload_len 0 risky
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Jan 5 22:06:27 UTC 2011
#2320: var_cell_t with payload_len 0 risky
------------------------+---------------------------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.2.x-final
Component: Tor Client | Version:
Keywords: | Parent:
------------------------+---------------------------------------------------
Comment(by nickm):
I'm not sure there's a bug here. If the cell length is 0,
var_cell->payload[0] will not exist... but that's no surprise. Similarly,
if the cell length is 50, then var_cell->payload[50] will not exist. It
is an error to refer to any var_cell->payload[i] unless i <
var_cell->payload_len. If we have any code that looks at any part of
var_cell->payload without checking that payload_len is large enough, that
code is simply broken.
In fact, we could go one better and allocate _fewer_ bytes if it turns out
that var_cell is padded: instead of saying
{{{
sizeof(var_cell_t)+payload_len-1
}}}
we could instead say
{{{
STRUCT_OFFSET(var_cell_t, payload[payload_len])
}}}
Also, evbuffer_remove(x, junk, 0) is safe.
So am I wrong, or is there a residual problem here?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2320#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list