[tor-bugs] #31682 [Core Tor/Tor]: CID 1453653: Integer handling (NEGATIVE_RETURNS) in build_establish_intro_dos_extension()

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Sep 10 11:24:27 UTC 2019


#31682: CID 1453653: Integer handling (NEGATIVE_RETURNS) in
build_establish_intro_dos_extension()
--------------------------------+---------------------------------------
     Reporter:  teor            |      Owner:  (none)
         Type:  defect          |     Status:  new
     Priority:  Medium          |  Milestone:  Tor: 0.4.2.x-final
    Component:  Core Tor/Tor    |    Version:
     Severity:  Normal          |   Keywords:  tor-hs, prop305, coverity
Actual Points:                  |  Parent ID:  #29999
       Points:                  |   Reviewer:
      Sponsor:  Sponsor27-must  |
--------------------------------+---------------------------------------
 trn_cell_extension_dos_encoded_len() returns ssize_t, but
 trn_cell_extension_field_setlen_field() takes size_t.
 This looks like a bug on #30924, copying sponsor fields across.

 {{{
 /src/feature/hs/hs_cell.c: 532 in build_establish_intro_dos_extension()
 528       /* Set the field with the encoded DoS extension. */
 529       dos_ext_encoded_len =
 trn_cell_extension_dos_encoded_len(dos_ext);
 530       /* Set length field and the field array size length. */
 531       trn_cell_extension_field_set_field_len(field,
 dos_ext_encoded_len);
    CID 1453653:  Integer handling issues  (NEGATIVE_RETURNS)
    "dos_ext_encoded_len" is passed to a parameter that cannot be negative.
 532       trn_cell_extension_field_setlen_field(field,
 dos_ext_encoded_len);
 533       /* Encode the DoS extension into the cell extension field. */
 534       field_array = trn_cell_extension_field_getarray_field(field);
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31682>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list