[tor-bugs] #19150 [Core Tor/Tor]: Pointer overflow in memarea_alloc()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon May 23 09:03:17 UTC 2016
#19150: Pointer overflow in memarea_alloc()
------------------------------+---------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor | Version: Tor: 0.2.1.10-alpha
Severity: Normal | Keywords: TorCoreTeam201605
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+---------------------------------
There is a pointer overflow in `memarea_alloc()`:
{{{
if (chunk->next_mem+sz > chunk->U_MEM+chunk->mem_size) {
}}}
It does not seem to be RCE exploitable, since in all places in
`routerparse.c` where memareas are used, we restrict the input size to
128kb or so (through `MAX_LINE_LENGTH` and `MAX_UNPARSED_OBJECT_SIZE`).
However, we should still fix this to plug any DoS threats and for future
code correctness.
The bug was found by Guido Vranken through the hackerone bug bounty
program.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19150>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list