[tor-bugs] #10313 [Tor]: or/channeltls.c Pointer Overflow Leads To Undefined Behavior, No Error Handling
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 9 15:53:36 UTC 2013
#10313: or/channeltls.c Pointer Overflow Leads To Undefined Behavior, No Error
Handling
-------------------------+-------------------------------------------------
Reporter: | Owner:
jaredlwong | Status: new
Type: defect | Milestone: Tor: 0.2.5.x-final
Priority: normal | Version: Tor: unspecified
Component: Tor | Keywords: pointer overflow undefined behavior
Resolution: | 024-backport
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Comment (by nickm):
Fortunately, the check is in fact never going to get needed, as discussed
in #9980: my_addr_len is set with
{{{
my_addr_len = (uint8_t) cell->payload[5];
}}}
and so it can never be greater than 255. CELL_PAYLOAD_SIZE is 509, so
my_addr_len can never be greater than CELL_PAYLOAD_SIZE - 6. The whole
check is unnecessary.
That said, I'm applying this smaller fix, with a comment.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10313#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list