[tor-bugs] #10363 [Tor]: Avoid additional pointer overflow in channeltls.c:channel_tls_process_certs_cells

Tue Apr 8 02:23:07 UTC 2014

#10363: Avoid additional pointer overflow in
channeltls.c:channel_tls_process_certs_cells
-------------------------+-------------------------------------------------
     Reporter:  nickm    |      Owner:
         Type:  defect   |     Status:  needs_review
     Priority:  major    |  Milestone:  Tor: 0.2.5.x-final
    Component:  Tor      |    Version:
   Resolution:           |   Keywords:  024-backport, 023-backport, tor-
Actual Points:           |  relay, 025-triaged
       Points:           |  Parent ID:
-------------------------+-------------------------------------------------

Comment (by andrea):

 Begin code review:

  * e8b7224d88c8bf96ef58de444315304edefe66e1 looks fine to me

  * 47d604fa8ffe5a62c78f766d95045c4eb224889a looks fine to me

  * In 66931507cf8f5e782469c90d0db2858d9af58c14, is the 'if (cp >= end)'
 test on line 853 also possibly an issue?  It's the only remaining use of
 'end' after the current patch I believe.

  * 83763622c589af82db3cc67d08097f60ac98c8a3 yeah, I like this better than
 the one after 47d604fa8ffe5a62c78f766d95045c4eb224889a

  * a201f44f8d46246ed89f3b303ca2bb2e044f74d8 looks okay

  * e40a8796990b5f01c0504c3bb0e1d702eb68f9f1 seems much less icky than the
 old one, at least going by the amounts of time it took my presently rather
 frayed-at-the-edges brain to conclude that both have the same behavior and
 do not attempt to read past the end of the array if cell->payload_len is
 odd.

  * 99cda334a910f8e24c7e0da58a522dae103f9163 looks fine to me

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10363#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online