[tor-bugs] #10313 [Tor]: or/channeltls.c Pointer Overflow Leads To Undefined Behavior, No Error Handling

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Dec 7 09:11:35 UTC 2013 

#10313: or/channeltls.c Pointer Overflow Leads To Undefined Behavior, No Error
Handling
-------------------------------------------------+-------------------------
 Reporter:  jaredlwong                           |          Owner:
     Type:  defect                               |         Status:  new
 Priority:  normal                               |      Milestone:
Component:  Tor                                  |        Version:  Tor:
 Keywords:  pointer overflow undefined behavior  |  unspecified
Parent ID:                                       |  Actual Points:
                                                 |         Points:
-------------------------------------------------+-------------------------
 The bug is on line 1438 of or/channeltls.c. The original code had a check
 to see if the cp pointer (I believe this represents the current payload
 being processed) stepped over the bounds of the cell, by comparing cp >=
 end. This is a bad check because any pointer to any array indexed more
 than 1 past the end of an array is undefined behavior. This means that the
 compiler is free to optimize out this check because it can assume that the
 programmer never increases her pointer to an undefined region. Thus, under
 certain compilers in certain optimizations, this check may be optimized
 out.

 See section 2.4 of this survey for a concise description of this behavior:
 http://pdos.csail.mit.edu/papers/ub:apsys12.pdf

 The patch is included below.

 {{{
 *** tor-b600495/src/or/channeltls.c     2013-12-05 09:30:11.000000000
 -0800
 --- tor-bugfix/src/or/channeltls.c      2013-12-07 00:43:09.438040392
 -0800
 *************** channel_tls_process_netinfo_cell(cell_t
 *** 1435,1441 ****
     my_addr_ptr = (uint8_t*) cell->payload + 6;
     end = cell->payload + CELL_PAYLOAD_SIZE;
     cp = cell->payload + 6 + my_addr_len;
 !   if (cp >= end) {
       log_fn(LOG_PROTOCOL_WARN, LD_OR,
              "Addresses too long in netinfo cell; closing connection.");
       connection_or_close_for_error(chan->conn, 0);
 --- 1435,1441 ----
     my_addr_ptr = (uint8_t*) cell->payload + 6;
     end = cell->payload + CELL_PAYLOAD_SIZE;
     cp = cell->payload + 6 + my_addr_len;
 !   if (my_addr_len >= CELL_PAYLOAD_SIZE - 6) {
       log_fn(LOG_PROTOCOL_WARN, LD_OR,
              "Addresses too long in netinfo cell; closing connection.");
       connection_or_close_for_error(chan->conn, 0);

 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10313>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list