[tor-bugs] #6861 [Tor Client]: Undefined behavior in rend_parse_service_authorization()
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sun Sep 16 15:15:18 UTC 2012
#6861: Undefined behavior in rend_parse_service_authorization()
------------------------+---------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.4.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
{{{
char descriptor_cookie_tmp[REND_DESC_COOKIE_LEN+2];
...
if (base64_decode(descriptor_cookie_tmp,
sizeof(descriptor_cookie_tmp),
descriptor_cookie_base64ext,
strlen(descriptor_cookie_base64ext)) < 0) {
log_warn(LD_CONFIG, "Decoding authorization cookie failed: '%s'",
descriptor_cookie);
goto err;
}
auth_type_val = (descriptor_cookie_tmp[16] >> 4) + 1;
}}}
`descriptor_cookie_tmp` is a char array and chars are signed. The right
shift there can cause undefined behavior if `descriptor_cookie_tmp[16]` is
a negative value.
Reported on IRC.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6861>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list