[tor-bugs] #8059 [Tor]: miscounting when parsing versions cell
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jan 26 21:35:59 UTC 2013
#8059: miscounting when parsing versions cell
--------------------+-------------------------------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.3.x-final
Component: Tor | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------+-------------------------------------------------------
{{{
const uint8_t *cp, *end;
...
for (cp = cell->payload; cp+1 < end; ++cp) {
uint16_t v = ntohs(get_uint16(cp));
}}}
So we count the payload one byte at a time, considering that byte plus the
one after it?
{{{
The payload in a VERSIONS cell is a series of big-endian two-byte
integers.
}}}
That probably produces some weird behavior. Marking as 0.2.3 since I'm not
sure yet what weird behavior.
Reported by bob from irc.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8059>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list