[tor-bugs] #30996 [Core Tor/Tor]: namemap_get_or_create_id reads past its allocated memory
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jun 26 22:52:49 UTC 2019
#30996: namemap_get_or_create_id reads past its allocated memory
-------------------------------------+------------------------------------
Reporter: arma | Owner: nickm
Type: defect | Status: accepted
Priority: High | Milestone: Tor: 0.4.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: 041-must 041-regression | Actual Points:
Parent ID: | Points: 0.5
Reviewer: | Sponsor:
-------------------------------------+------------------------------------
Comment (by arma):
Yuck. I see the valgrind complaint with -O2 but I do not see it with -O0
or -O1. So I think you are right.
I have now added
{{{
diff --git a/src/lib/container/namemap.c b/src/lib/container/namemap.c
index a90057b..263e823 100644
--- a/src/lib/container/namemap.c
+++ b/src/lib/container/namemap.c
@@ -145,7 +145,10 @@ namemap_get_or_create_id(namemap_t *map,
return NAMEMAP_ERR; /* Can't allocate any more. */
mapped_name_t *insert = tor_malloc_zero(
- offsetof(mapped_name_t, name) + namelen + 1);
+ offsetof(mapped_name_t, name) + namelen + 1
+ /* Unfortunate hack to let valgrind handle SSE optimizations
+ * in strlen in -O2. See bug 30996. */
+ + 4);
memcpy(insert->name, name, namelen+1);
insert->intval = new_id;
}}}
to my list of patches that make moria1 different from master.
(I started with a slightly more complex hack, with a bufsize variable and
a -= and a %4, but a hack is a hack so I'll not quibble. :)
I'll let you decide if you want to close this as a wontfix and I'll just
maintain my workaround forever in my growing list of differences, or if
you want to take my hack into Tor itself.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30996#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list