[tor-bugs] #10313 [Tor]: or/channeltls.c Pointer Overflow Leads To Undefined Behavior, No Error Handling
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 9 16:07:10 UTC 2013
#10313: or/channeltls.c Pointer Overflow Leads To Undefined Behavior, No Error
Handling
-------------------------+-------------------------------------------------
Reporter: | Owner:
jaredlwong | Status: new
Type: defect | Milestone: Tor: 0.2.4.x-final
Priority: normal | Version: Tor: unspecified
Component: Tor | Keywords: pointer overflow undefined behavior
Resolution: | 024-backport
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Changes (by nickm):
* milestone: Tor: 0.2.5.x-final => Tor: 0.2.4.x-final
Comment:
Did a branch "bug10313_024" that just removed the check, and merged it
into 0.2.5. Given that the check isn't necessary at all, I'm inclined not
to backport into 0.2.4, unless somebody thinks I have missed something.
(To confirm that the check isn't necessary, the compiler gave me:
{{{
src/or/channeltls.c:1411:19: error: comparison of constant 503 with
expression
of type 'uint8_t' (aka 'unsigned char') is always false
[-Werror,-Wtautological-constant-out-of-range-compare]
if (my_addr_len >= CELL_PAYLOAD_SIZE - 6) {
~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~
}}}
when I tried using the patch posted above. )
Leaving for an 0.2.4 backport, though my recommendation is still "this
isn't needed unless I missed something.."
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10313#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list