[tor-bugs] #17404 [Tor]: dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of a string.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 21 15:39:35 UTC 2015
#17404: dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of
a string.
-------------------------+-------------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: Very | Milestone: Tor: 0.2.7.x-final
High | Version:
Component: Tor | Keywords: 024-backport 026-backport
Severity: Major | 025-backport
Actual Points: | Parent ID:
Points: | Sponsor:
-------------------------+-------------------------------------------------
dn_indicates_v3_cert() does this:
{{{
len = ASN1_STRING_to_UTF8(&s, str);
if (len < 0) {
return 0;
}
r = fast_memneq(s + len - 4, ".net", 4);
}}}
Note that if the len < 4, we read bytes from a malloc header, which isn't
a good thing at all.
In practice, I don't think this should cause crashes or security failures,
unless somebody is using a very weird malloc, or unless somebody has a
hardened installation that detects this kind of invalid check.
Still, this is a must-fix.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17404>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list