[tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jun 27 10:45:44 UTC 2019
#31001: Undefined behavior in tor_vasprintf()
-------------------------------------------------+-------------------------
Reporter: asn | Owner: (none)
Type: defect | Status:
| needs_revision
Priority: Medium | Milestone: Tor:
| 0.4.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: 041-must hackerone bug-bounty | Actual Points:
security-low unlikely-crash 029-backport |
035-backport 040-backport 041-backport |
Parent ID: | Points: 0.5
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by teor):
* status: needs_review => needs_revision
* keywords: 041-must hackerone bug-bounty =>
041-must hackerone bug-bounty security-low unlikely-crash 029-backport
035-backport 040-backport 041-backport
* points: => 0.5
Comment:
This patch makes sense to me, and it passes CI.
I'm marking it as security-low, because most common compilers don't
aggressively optimise signed overflow in this context.
(If they did, this code could introduce some nasty bugs in tor.)
So the negative value will be converted to size_t by adding SIZE_T_MAX.
On 32-bit systems, that's the correct value, on 64-bit systems, that's
UINT64_MAX - INT32_MIN, which will fail to malloc and crash.
Fortunately, most of Tor's parsers have document size limits that are much
lower than 2GB.
But we still need to backport this fix to compact.c in 0.2.9, and then
merge forward.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31001#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list