[tor-bugs] #4413 [Tor Relay]: Non-triggerable integer overflow in crypto_random_hostname()
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sun Nov 6 15:45:34 UTC 2011
#4413: Non-triggerable integer overflow in crypto_random_hostname()
-----------------------+----------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Relay | Version:
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
{{{
char *
crypto_random_hostname(int min_rand_len, int max_rand_len, const char
*prefix,
const char *suffix)
...
randlen = min_rand_len + crypto_rand_int(max_rand_len - min_rand_len +
1);
...
rand_bytes_len = ((randlen*5)+7)/8;
if (rand_bytes_len % 5)
rand_bytes_len += 5 - (rand_bytes_len%5);
rand_bytes = tor_malloc(rand_bytes_len);
}}}
If `randlen` overflows in `rand_bytes_len = ((randlen*5)+7)/8;` we pass a
negative value to `tor_malloc()`.
I don't see this happening any time soon, since all the currently used
crypto_random_hostname() arguments are very small, but it might be good to
fix it for completeness.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4413>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list