[tor-bugs] #6530 [Tor Relay]: Out-of-bounds read in networkstatus_parse_vote_from_string()
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Aug 3 03:43:25 UTC 2012
#6530: Out-of-bounds read in networkstatus_parse_vote_from_string()
-----------------------+----------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.2.x-final
Component: Tor Relay | Version:
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
{{{
tok = find_by_keyword(tokens, K_NETWORK_STATUS_VERSION);
tor_assert(tok);
if (tok->n_args > 1) {
int flavor = networkstatus_parse_flavor_name(tok->args[1]);
if (flavor < 0) {
log_warn(LD_DIR, "Can't parse document with unknown flavor %s",
escaped(tok->args[2]));
goto err;
}
ns->flavor = flav = flavor;
}
}}}
`networkstatus_parse_vote_from_string()` validates the '''second'''
argument of `network-status-version` which is the flavor of the
consensus. If the flavor is invalid it log_warn()s the '''third'''
argument which is not guaranteed to exist. This means that `escaped()`
receives a non-allocated section of memory as its argument and treats it
as a pointer to a string; this should lead to a segfault.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6530>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list