[tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 18 00:58:54 UTC 2016


#18296: Potential integer overflow and memory corruption in smartlist_heapify
-------------------------+------------------------------------
 Reporter:  cypherpunks  |          Owner:  nickm
     Type:  defect       |         Status:  needs_review
 Priority:  Medium       |      Milestone:  Tor: 0.2.8.x-final
Component:  Tor          |        Version:
 Severity:  Normal       |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
-------------------------+------------------------------------

Comment (by teor):

 Replying to [comment:8 nickm]:
 > Branch `bug18296` has a simple-ish fix for this. Is it right?

 This check avoids overflow, but only once we get to the end of the list.
 If it's a long list, that could take a while.

 I wonder if we should just check `smartlist_len() <= (INT_MAX/2 - 2)`
 instead?

 Also, should we tor_assert() rather than returning?
 The resultant heap is not valid, and might cause more subtle issues later
 on.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18296#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list