[tor-bugs] #10363 [Tor]: Avoid additional pointer overflow in channeltls.c:channel_tls_process_certs_cells

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Dec 11 19:41:46 UTC 2013


#10363: Avoid additional pointer overflow in
channeltls.c:channel_tls_process_certs_cells
------------------------+-------------------------------------------------
     Reporter:  nickm   |      Owner:
         Type:  defect  |     Status:  new
     Priority:  major   |  Milestone:  Tor: 0.2.5.x-final
    Component:  Tor     |    Version:
   Resolution:          |   Keywords:  024-backport 023-backport tor-relay
Actual Points:          |  Parent ID:
       Points:          |
------------------------+-------------------------------------------------
Description changed by nickm:

Old description:

> See #101313 for general discription.
>
> On IRC, bobnomnom notes a similar issue with
> channel_tls_process_certs_cells. In this case, the compiler can't easily
> optimize the pointer comparison away, so we don't need to worry about
> that, but technically speaking we might be constructing a pointer that
> wraps around ((void*)-1), which would give incorrect results.
>
> And undefined behavior is very bad.  So let's just fix this.  Let's hunt
> for other places it occurs too.

New description:

 See #10313 for general discription.

 On IRC, bobnomnom notes a similar issue with
 channel_tls_process_certs_cells. In this case, the compiler can't easily
 optimize the pointer comparison away, so we don't need to worry about
 that, but technically speaking we might be constructing a pointer that
 wraps around ((void*)-1), which would give incorrect results.

 And undefined behavior is very bad.  So let's just fix this.  Let's hunt
 for other places it occurs too.

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10363#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list