[tor-bugs] #4230 [Tor Client]: smartlist functions contain bogus overflow checks
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Nov 9 21:23:55 UTC 2011
#4230: smartlist functions contain bogus overflow checks
------------------------+---------------------------------------------------
Reporter: rransom | Owner:
Type: defect | Status: needs_review
Priority: major | Milestone: Tor: 0.2.1.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by asn):
In a x86-64 system, `SIZEOF_SIZE_T == SIZEOF_INT` and `MAX_CAPACITY`
becomes (int) (UINT_MAX / 8) == 2^29^, and MAX_CAPACITY/2 == 2^27^.
If you pass a size bigger than 2^29^ or INT_MAX/4, it will get in the `if
(PREDICT_UNLIKELY(size > MAX_CAPACITY/2)) {` and hit the `tor_assert(size
<= MAX_CAPACITY);`.
I'm not sure if this is in the function's threat model, since you have to
pass an enormous size and it would in any case probably OOM from the
`realloc()`, but even the original overflow of this ticket needed a huge
size.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4230#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list