[tor-bugs] #19567 [Core Tor/Tor]: SR: Fix issues Coverity found:

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jul 4 15:16:31 UTC 2016


#19567: SR: Fix issues Coverity found:
-------------------------------+--------------------------------
     Reporter:  dgoulet        |      Owner:
         Type:  defect         |     Status:  new
     Priority:  High           |  Milestone:  Tor: 0.2.9.x-final
    Component:  Core Tor/Tor   |    Version:
     Severity:  Normal         |   Keywords:  tor-sr test
Actual Points:                 |  Parent ID:
       Points:  0.1            |   Reviewer:
      Sponsor:  SponsorR-must  |
-------------------------------+--------------------------------
 Issue 1:
 {{{
 /src/or/shared_random_state.c: 639 in disk_state_update()
 633         next = &(line->next);
 634       }
 635       if (sr_state->current_srv != NULL) {
 636         *next = line = tor_malloc_zero(sizeof(*line));
 637         line->key = tor_strdup(dstate_cur_srv_key);
 638         disk_state_put_srv_line(sr_state->current_srv, line);
 >>>     CID 1362985:  Code maintainability issues  (UNUSED_VALUE)
 >>>     Assigning value from "&line->next" to "next" here, but that stored
 value is overwritten before it can be used.
 639         next = &(line->next);
 640       }
 641
 642       /* Parse the commits and construct config line(s). */
 643       next = &sr_disk_state->Commit;
 644       DIGESTMAP_FOREACH(sr_state->commits, key, sr_commit_t *, commit)
 {
 }}}

 Issue 2:
 {{{
 *** CID 1362984:  Memory - corruptions  (OVERRUN)
 /src/test/test_shared_random.c: 943 in test_utils()
 937         const char *payload =
 938
 "\x5d\xb9\x60\xb6\xcc\x51\x68\x52\x31\xd9\x88\x88\x71\x71\xe0\x30"
 939
 "\x59\x55\x7f\xcd\x61\xc0\x4b\x05\xb8\xcd\xc1\x48\xe9\xcd\x16\x1f"
 940
 "\x70\x15\x0c\xfc\xd3\x1a\x75\xd0\x93\x6c\xc4\xe0\x5c\xbe\xe2\x18"
 941           "\xc7\xaf\x72\xb6\x7c\x9b\x52";
 942         sr_commit_t commit1, commit2;
 >>>     CID 1362984:  Memory - corruptions  (OVERRUN)
 >>>     Overrunning buffer pointed to by "payload" of 56 bytes by passing
 it to a function which accesses it at byte offset 56 using argument
 "57UL". [Note: The source code implementation of the function has been
 overridden by a builtin model.]
 943         memcpy(commit1.encoded_commit, payload,
 sizeof(commit1.encoded_commit));
 944         memcpy(commit2.encoded_commit, payload,
 sizeof(commit2.encoded_commit));
 945         tt_int_op(commitments_are_the_same(&commit1, &commit2), ==,
 1);
 946         /* Let's corrupt one of them. */
 947         memset(commit1.encoded_commit, 'A',
 sizeof(commit1.encoded_commit));
 948         tt_int_op(commitments_are_the_same(&commit1, &commit2), ==,
 0);
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19567>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list