[tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Feb 10 10:21:56 UTC 2016
#18296: Potential integer overflow and memory corruption in smartlist_heapify
-----------------------------+-----------------
Reporter: cypherpunks | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Tor | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Sponsor:
-----------------------------+-----------------
The LEFT_CHILD/RIGHT_CHILD macros used in container.c::smartlist_heapify()
can overflow.
This can potentially result in using a negative array index in the
smartlist memory block and writing to some out of bounds memory location.
This is probably not currently exploitable, given the limited usage of
smartlist_heapify. The places where it is used look hard to control for an
attacker and the amount of memory required would likely be too much for
Tor to be able to allocate.
Tor should be built with ftrapv. Ticket 17983 looks like a bad idea.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18296>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list