[tor-bugs] #9980 [Tor]: (cp >= end) in channel_tls_process_netinfo_cell confuses analysis tools
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Oct 14 18:43:30 UTC 2013
#9980: (cp >= end) in channel_tls_process_netinfo_cell confuses analysis tools
------------------------+------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version:
Keywords: tor-client | Actual Points:
Parent ID: | Points:
------------------------+------------------------------------
David Fifield reports that:
{{{
my_addr_len = (uint8_t) cell->payload[5];
end = cell->payload + CELL_PAYLOAD_SIZE;
cp = cell->payload + 6 + my_addr_len;
if (cp >= end) {
...
return;
}
}}}
confuses the STACK analysis tool because the check could get optimized
away. This check is indeed needless, since CELL_PAYLOAD_SIZE is 509, but
UINT8_MAX + 6 is only 261, so that branch can never be taken. Shall we
just remove it?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9980>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list