[tor-bugs] #18162 [Tor]: Potential heap corruption in smartlist_add(), smartlist_insert()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Feb 10 07:03:10 UTC 2016
#18162: Potential heap corruption in smartlist_add(), smartlist_insert()
-------------------------------------------------+-------------------------
Reporter: asn | Owner: nickm
Type: defect | Status:
Priority: High | needs_review
Component: Tor | Milestone: Tor:
Severity: Normal | 0.2.8.x-final
Keywords: tor-bug-bounty security | Version:
025-backport 026-backport 027-backport | Resolution:
024-backport | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------------------------------+-------------------------
Comment (by teor):
Replying to [comment:17 asn]:
> Looking at `bug18162_024`:
>
> {{{
> - if (size > sl->capacity) {
> - int higher = sl->capacity;
> + tor_assert(size <= MAX_CAPACITY);
> }}}
>
> can't this assert be triggered by an attacker who can fill up
smartlists? For example `smartlist_add()` does
> {{{
> - smartlist_ensure_capacity(sl, sl->num_used+1);
> + smartlist_ensure_capacity(sl, ((size_t) sl->num_used)+1);
> }}}
> what if `sl->num_used` is MAX_CAPACITY at that point?
>
> Or is that assert just there to stop the heap corruption, assuming we
will never need so many elements in a smartlist?
Yes, if we're using over 2 billion elements in a smartlist, something has
gone very wrong, and we should exit.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18162#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list