[tor-bugs] #22368 [Core Tor/Tor]: double-free of MyFamily lines
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu May 25 05:23:11 UTC 2017
#22368: double-free of MyFamily lines
------------------------------------------------+--------------------------
Reporter: arma | Owner:
Type: defect | Status:
| needs_review
Priority: Medium | Milestone: Tor:
| 0.3.1.x-final
Component: Core Tor/Tor | Version: Tor:
| 0.3.1.1-alpha
Severity: Normal | Resolution:
Keywords: regression memory-safety tor-relay | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------------------------+--------------------------
Comment (by teor):
Replying to [comment:7 arma]:
> Speaking of just about anything, it is distantly possible that relays
who hit this bug will print little pieces of arbitrary memory, if they are
valid nicknames or hexes, into the Family line of their descriptor. Good
times.
Since the smallest valid nickname is 1 character, it discloses 1 byte with
probability 62/256, 2 bytes with probability (62/256)^2, ...
Unless it needs to be a valid continuation of a nickname list?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22368#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list