[tor-bugs] #7191 [Tor]: smartlist_bsearch_idx() is broken for short lists
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Oct 23 20:42:52 UTC 2012
#7191: smartlist_bsearch_idx() is broken for short lists
-----------------------------------------+----------------------------------
Reporter: andrea | Owner: andrea
Type: defect | Status: needs_review
Priority: major | Milestone: Tor: 0.2.3.x-final
Component: Tor | Version: Tor: 0.2.4.3-alpha
Keywords: tor-relay denial-of-service | Parent:
Points: | Actualpoints:
-----------------------------------------+----------------------------------
Changes (by nickm):
* keywords: => tor-relay denial-of-service
Comment:
For completeness: there's a DOS opportunity here, but I am pretty sure you
need to be a directory server, or able to replace somebody's geoip file,
to do it. A networkstatus vote with 0 or 1 entries, or a geoip file with
0 or 1 entries, or a networkstatus consensus with 0 or 1 entries, or a v2
networkstatus with 0 or 1 entries would all provoke a crash.
I am pretty sure that in the networkstatus cases above, there isn't a way
to provoke these against a regular client or relay except by controlling
the consensus of authorities -- in which case you already win.
The v2 networkstatus one means that any of the v2 authorities can take
down any node that's fetching or caching v2 networkstatus information,
including the other authorities.
The authorities might also be able to crash each other during the voting
process; I'm not sure there.
There shouldn't be a way to wind up with a hostile geoip file.
Given the authorities' collectively status, I'm not going to run in
circles shouting here, but we need to decide whether there's an 0.2.2
backport.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7191#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list