[tor-bugs] #12227 [Tor]: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jun 9 02:18:35 UTC 2014


#12227: ASan stack-buffer-overflow in prune_v2_cipher_list  -- not exploitable
---------------------------+-------------------------------------
     Reporter:  starlight  |      Owner:
         Type:  defect     |     Status:  needs_review
     Priority:  normal     |  Milestone:  Tor: 0.2.5.x-final
    Component:  Tor        |    Version:  Tor: 0.2.4.22
   Resolution:             |   Keywords:  tor-client 024-backport
Actual Points:             |  Parent ID:
       Points:             |
---------------------------+-------------------------------------
Changes (by nickm):

 * status:  new => needs_review
 * keywords:   => tor-client 024-backport
 * milestone:   => Tor: 0.2.5.x-final


Comment:

 The SSLv23_method() call is later modified by the SSL_OP_NO_SSLv2 flag.

 As for the patch, why can't it just be:

 {{{
 diff --git a/src/common/tortls.c b/src/common/tortls.c
 index a6444b8..05e0b50 100644
 --- a/src/common/tortls.c
 +++ b/src/common/tortls.c
 @@ -1477,10 +1477,11 @@ prune_v2_cipher_list(void)

    inp = outp = v2_cipher_list;
    while (*inp) {
 -    unsigned char cipherid[2];
 +    unsigned char cipherid[3];
      const SSL_CIPHER *cipher;
      /* Is there no better way to do this? */
      set_uint16(cipherid, htons(*inp));
 +    cipherid[3] = 0;
      cipher = m->get_cipher_by_char(cipherid);
      if (cipher) {
        tor_assert((cipher->id & 0xffff) == *inp);
 }}}

 ?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12227#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list