[tor-bugs] #7191 [Tor]: smartlist_bsearch_idx() is broken for short lists

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Oct 23 20:50:07 UTC 2012 

#7191: smartlist_bsearch_idx() is broken for short lists
-----------------------------------------+----------------------------------
 Reporter:  andrea                       |          Owner:  andrea            
     Type:  defect                       |         Status:  needs_review      
 Priority:  major                        |      Milestone:  Tor: 0.2.3.x-final
Component:  Tor                          |        Version:  Tor: 0.2.4.3-alpha
 Keywords:  tor-relay denial-of-service  |         Parent:                    
   Points:                               |   Actualpoints:                    
-----------------------------------------+----------------------------------

Comment(by andrea):

 Replying to [comment:12 nickm]:
 > For completeness: there's a DOS opportunity here, but I am pretty sure
 you need to be a directory server, or able to replace somebody's geoip
 file, to do it.  A networkstatus vote with 0 or 1 entries, or a geoip file
 with 0 or 1 entries, or a networkstatus consensus with 0 or 1 entries, or
 a v2 networkstatus with 0 or 1 entries would all provoke a crash.
 >
 > I am pretty sure that in the networkstatus cases above, there isn't a
 way to provoke these against a regular client or relay except by
 controlling the consensus of authorities -- in which case you already win.
 >
 > The v2 networkstatus one means that any of the v2 authorities can take
 down any node that's fetching or caching v2 networkstatus information,
 including the other authorities.
 >
 > The authorities might also be able to crash each other during the voting
 process; I'm not sure there.
 >
 > There shouldn't be a way to wind up with a hostile geoip file.
 >
 > Given the authorities' collectively status, I'm not going to run in
 circles shouting here, but we need to decide whether there's an 0.2.2
 backport.

 Hmm - how long has it been since that function has even been changed?  I'm
 going to guess "a long time" and that backporting would be a pretty easy
 matter of replacing it in the old branch, no merging required.  If so, it
 seems like an obvious thing to do.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7191#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list