[tor-bugs] #7191 [Tor]: smartlist_bsearch_idx() is broken for short lists

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Mon Oct 22 20:16:11 UTC 2012


#7191: smartlist_bsearch_idx() is broken for short lists
--------------------+-------------------------------------------------------
 Reporter:  andrea  |          Owner:  andrea            
     Type:  defect  |         Status:  new               
 Priority:  major   |      Milestone:  Tor: 0.2.4.x-final
Component:  Tor     |        Version:  Tor: 0.2.4.3-alpha
 Keywords:          |         Parent:                    
   Points:          |   Actualpoints:                    
--------------------+-------------------------------------------------------
 Per asn:

 ---begin quote---

 Hi Andrea,

 this is a possible bug I was discussing with Nick. He is pretty busy these
 days, so a third set of eyes could be useful:

 <asn> hi
 <asn> fwiw smartlist_bsearch_idx() seems a bit sloppy
 <asn> it doesn't handle the case where the sl is empty (smartlist_len(sl)
 - 1, underflows)
 <asn> and if sl has one element, there is still the danger of underflowing
 'hi = mid-1;'.
 <asn> from what I see, the function is only used with smartlist carrying
 the whole routerlist, so it's "safe" till tor has only one relay.
 <nickm> ...at which point we've got other problems, yeah.
 <nickm> still a good idea to fix it
 <nickm> hang on
 <nickm> it's used in smartlist_bsearch, which is used in other places too
 <asn> i think smartlist_bsearch() is also only used with the whole
 routerlist.
 <nickm> you mean networkstatus
 <nickm> the routerlist is the list of routerinfo_t we know
 <nickm> there are enough places where it's used that I think we should
 have more eyes looking at it before we accidentally 0day ourselves.  I'll
 look through the code by thursday; you can also ask athena on
 #tor-internal if you like
 <asn> btw, the interface of smartlist_bsearch_idx() doesn't allow
 particularly elegant error handling :(

 --- end quote ---

 This function is broken for lists of length zero or one and doesn't check
 the pointer arguments for nullness properly.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7191>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list