[tor-bugs] #2320 [Tor Client]: var_cell_t with payload_len 0 risky

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Thu Jan 6 15:41:40 UTC 2011


#2320: var_cell_t with payload_len 0 risky
------------------------+---------------------------------------------------
 Reporter:  arma        |       Owner:                    
     Type:  defect      |      Status:  new               
 Priority:  normal      |   Milestone:  Tor: 0.2.2.x-final
Component:  Tor Client  |     Version:                    
 Keywords:              |      Parent:                    
------------------------+---------------------------------------------------

Comment(by nickm):

 malloc(0) is a special case.    In the original code, how is it possible
 for an error to occur if nothing actually dereferences cell->payload[0]  ?

 ----
 Perhaps we should bite a bullet here and use C99 flexible arrays where
 they are available, falling back to GCC 0-length arrays, and only then to
 offsetof-based tricks.  I'm not sure what that actually buys us other than
 making our code uglier, though.

 http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Zero-Length.html

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2320#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list