[tor-bugs] #20081 [Core Tor/Tor]: potential memory corruption in or/buffers.c (not exploitable)

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 12 11:26:34 UTC 2016


#20081: potential memory corruption in or/buffers.c  (not exploitable)
-----------------------------------------+---------------------------------
 Reporter:  asn                          |          Owner:
     Type:  defect                       |         Status:  needs_review
 Priority:  Medium                       |      Milestone:  Tor:
                                         |  0.2.9.x-final
Component:  Core Tor/Tor                 |        Version:
 Severity:  Normal                       |     Resolution:
 Keywords:  029-proposed tor-bug-bounty  |  Actual Points:
Parent ID:                               |         Points:  0.3
 Reviewer:                               |        Sponsor:
-----------------------------------------+---------------------------------

Comment (by nickm):

 Like, how about this:
 {{{
 diff --git a/src/or/buffers.c b/src/or/buffers.c
 index 31985723929a11..631c3b863a1b87 100644
 --- a/src/or/buffers.c
 +++ b/src/or/buffers.c
 @@ -169,6 +169,9 @@ chunk_grow(chunk_t *chunk, size_t sz)
  static inline size_t
  preferred_chunk_size(size_t target)
  {
 +  tor_assert(target <= SIZE_T_CEILING - CHUNK_HEADER_LEN);
 +  if (target > MAX_CHUNK_ALLOC)
 +    return target;
    size_t sz = MIN_CHUNK_ALLOC;
    while (CHUNK_SIZE_WITH_ALLOC(sz) < target) {
      sz <<= 1;
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20081#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list