[tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Feb 18 00:58:54 UTC 2016
#18296: Potential integer overflow and memory corruption in smartlist_heapify
-------------------------+------------------------------------
Reporter: cypherpunks | Owner: nickm
Type: defect | Status: needs_review
Priority: Medium | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+------------------------------------
Comment (by teor):
Replying to [comment:8 nickm]:
> Branch `bug18296` has a simple-ish fix for this. Is it right?
This check avoids overflow, but only once we get to the end of the list.
If it's a long list, that could take a while.
I wonder if we should just check `smartlist_len() <= (INT_MAX/2 - 2)`
instead?
Also, should we tor_assert() rather than returning?
The resultant heap is not valid, and might cause more subtle issues later
on.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18296#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list