[tor-bugs] #8037 [- Select a component]: Specialy crafter microdesc could trigger to flush up to 16MB uninited heap allocated memory to media
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jan 22 22:12:41 UTC 2013
#8037: Specialy crafter microdesc could trigger to flush up to 16MB uninited heap
allocated memory to media
----------------------------------+-----------------------------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: - Select a component | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
microdescs_parse_from_string() and so on func do not count string as null
terminated and allows to process "string" with zero byte in middle.
md->body = tor_strndup(cp, md->bodylen) duplicate only partial of such
string. dump_microdescriptor() flushes all bodylen of md's body to disk.
Specially crafted bytes append to valid md sent by directory cache could
lead to flush up to 16MB of memory data to media. Tor tries to clear
sensitive data on free(), but some non cleared memory still no need to
write in plain text to media.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8037>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list