[tor-bugs] #19150 [Core Tor/Tor]: Pointer overflow in memarea_alloc()

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 23 09:03:17 UTC 2016


#19150: Pointer overflow in memarea_alloc()
------------------------------+---------------------------------
     Reporter:  asn           |      Owner:
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.2.9.x-final
    Component:  Core Tor/Tor  |    Version:  Tor: 0.2.1.10-alpha
     Severity:  Normal        |   Keywords:  TorCoreTeam201605
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+---------------------------------
 There is a pointer overflow in `memarea_alloc()`:

 {{{
   if (chunk->next_mem+sz > chunk->U_MEM+chunk->mem_size) {
 }}}

 It does not seem to be RCE exploitable, since in all places in
 `routerparse.c` where memareas are used, we restrict the input size to
 128kb or so (through `MAX_LINE_LENGTH` and `MAX_UNPARSED_OBJECT_SIZE`).

 However, we should still fix this to plug any DoS threats and for future
 code correctness.

 The bug was found by Guido Vranken through the hackerone bug bounty
 program.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19150>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list