[tor-bugs] #4230 [Tor Client]: smartlist functions contain bogus overflow checks
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Nov 9 21:20:43 UTC 2011
#4230: smartlist functions contain bogus overflow checks
------------------------+---------------------------------------------------
Reporter: rransom | Owner:
Type: defect | Status: needs_review
Priority: major | Milestone: Tor: 0.2.1.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by asn):
In a x86-64 system, SIZEOF_SIZE_T == SIZEOF_INT and MAX_CAPACITY becomes
(int) (UINT_MAX / 8) == '''2^29''', and MAX_CAPACITY/2 == '''2^27'''.
If you pass a `size` bigger than 2^29 or INT_MAX/4, it will get in the `if
(PREDICT_UNLIKELY(size > MAX_CAPACITY/2)) {` and hit the `tor_assert(size
<= MAX_CAPACITY);`.
I'm not sure if this is in the function's threat model, since you have to
pass an enormous `size` and it would in any case probably OOM from the
`realloc()`, but even the original overflow of this ticket needed a huge
`size`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4230#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list