[tor-bugs] #20894 [Core Tor/Tor]: Resolve read-off-end-of-buffer on atoi in fetch_from_buf_http (TROVE-2016-10-001) (was: Fix known instance of TROVE-2016-10-001)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Feb 9 20:42:14 UTC 2017
#20894: Resolve read-off-end-of-buffer on atoi in fetch_from_buf_http
(TROVE-2016-10-001)
---------------------------------------+-----------------------------------
Reporter: teor | Owner: nickm
Type: defect | Status: assigned
Priority: Medium | Milestone: Tor:
| 0.3.0.x-final
Component: Core Tor/Tor | Version: Tor: unspecified
Severity: Normal | Resolution:
Keywords: tor-03-unspecified-201612 | Actual Points:
Parent ID: | Points: 0.5
Reviewer: | Sponsor:
---------------------------------------+-----------------------------------
Comment (by nickm):
The problem was the atoi() in fetch_from_buf_http: it's entirely too happy
to read off the end of a buf if there is no subsequent '\n' in the same
chunk as the "content-length".
We fixed this with the patch for #20384, where we made sure that every buf
chunk was NUL-terminated, but we really ought to fix the underlying issue
too.
I have an overcomplicated patch in bug20894_024. Probably it should use
tor_parse_uint64 instead of atoi. But the part that I really dislike is
the hunt-for-the-newline-and-copy-the-header part -- it's overcomplicated
and more than a little bit zany.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20894#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list