[tor-bugs] #21894 [Core Tor/Tor]: Base32_encode: *actually* allow inputs of odd sizes
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Apr 7 14:44:55 UTC 2017
#21894: Base32_encode: *actually* allow inputs of odd sizes
------------------------------+---------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: High | Milestone: Tor: 0.3.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords: 029-backport 030-backport
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+---------------------------------------
When we "fixed" #18280 in 4e4a7d2b0c199227252a742541461ec4cc35d358 in 0291
it appears that we introduced a bug: The base32_encode function can read
off the end of the input buffer, if the input buffer size modulo 5 is not
equal to 0 or 3.
This is not ''completely'' horrible, for two reasons:
* The extra bits that are read are never actually used: so this is only
a crash when asan is enabled, in the worst case.
* The input sizes passed to base32_encode are only ever multiples of 5.
They are all either DIGEST_LEN (20), REND_SERVICE_ID_LEN (10),
sizeof(rand_bytes) in addressmap.c (10), or an input in crypto.c that is
forced to a multiple of 5. So this bug can't actually trigger.
Nonetheless, let's fix it!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21894>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list