[tor-commits] [tor/maint-0.2.7] Fix undefined behavior caused by memory overlap

nickm at torproject.org nickm at torproject.org
Tue Dec 1 03:02:54 UTC 2015


commit be0891667e12a223ebda02dac2ba4a855bef4e52
Author: cypherpunks <cypherpunks at torproject.org>
Date:   Fri Jul 17 11:53:12 2015 +0200

    Fix undefined behavior caused by memory overlap
    
    The tor_cert_get_checkable_sig function uses the signing key included in
    the certificate (if available) when a separate public key is not given.
    
    When the signature is valid, the tor_cert_checksig function copies the
    public key from the checkable structure to the public key field of the
    certificate signing key.
    
    In situations where the separate public key is not given but the
    certificate includes a signing key, the source and destination pointers
    in the copy operation are equal and invoke undefined behavior.
    
    Undefined behaviour is avoided by ensuring both pointers are different.
---
 src/or/torcert.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/or/torcert.c b/src/or/torcert.c
index 596cd2b..ef5b4c0 100644
--- a/src/or/torcert.c
+++ b/src/or/torcert.c
@@ -206,7 +206,11 @@ tor_cert_checksig(tor_cert_t *cert,
     return -1;
   } else {
     cert->sig_ok = 1;
-    memcpy(cert->signing_key.pubkey, checkable.pubkey->pubkey, 32);
+    /* Only copy the checkable public key when it is different from the signing
+     * key of the certificate to avoid undefined behavior. */
+    if (cert->signing_key.pubkey != checkable.pubkey->pubkey) {
+      memcpy(cert->signing_key.pubkey, checkable.pubkey->pubkey, 32);
+    }
     cert->cert_valid = 1;
     return 0;
   }





More information about the tor-commits mailing list