[tor-bugs] #22368 [Core Tor/Tor]: double-free of MyFamily lines

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu May 25 05:23:11 UTC 2017


#22368: double-free of MyFamily lines
------------------------------------------------+--------------------------
 Reporter:  arma                                |          Owner:
     Type:  defect                              |         Status:
                                                |  needs_review
 Priority:  Medium                              |      Milestone:  Tor:
                                                |  0.3.1.x-final
Component:  Core Tor/Tor                        |        Version:  Tor:
                                                |  0.3.1.1-alpha
 Severity:  Normal                              |     Resolution:
 Keywords:  regression memory-safety tor-relay  |  Actual Points:
Parent ID:                                      |         Points:
 Reviewer:                                      |        Sponsor:
------------------------------------------------+--------------------------

Comment (by teor):

 Replying to [comment:7 arma]:
 > Speaking of just about anything, it is distantly possible that relays
 who hit this bug will print little pieces of arbitrary memory, if they are
 valid nicknames or hexes, into the Family line of their descriptor. Good
 times.

 Since the smallest valid nickname is 1 character, it discloses 1 byte with
 probability 62/256, 2 bytes with probability (62/256)^2, ...

 Unless it needs to be a valid continuation of a nickname list?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22368#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list