[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #14031 [Tor]: use after freed



#14031: use after freed
----------------------------+--------------------------------
     Reporter:  MegaManSec  |      Owner:
         Type:  defect      |     Status:  needs_information
     Priority:  minor       |  Milestone:  Tor: 0.2.6.x-final
    Component:  Tor         |    Version:
   Resolution:              |   Keywords:  tor-tests
Actual Points:              |  Parent ID:
       Points:              |
----------------------------+--------------------------------

Comment (by MegaManSec):

 Cool, thanks.

 How about this?:

 rendservice.c



 5. alias: Assigning: rp_nickname = intro->u.v0.rp. rp_nickname now points
 to byte 0 of intro->u.v0.rp (which consists of 20 bytes).
 1531    else rp_nickname = (const char *)(intro->u.v0.rp);



 CID 12172 (#1 of 1): Out-of-bounds access (OVERRUN)6. overrun-buffer-val:
 Overrunning buffer pointed to by rp_nickname of 20 bytes by passing it to
 a function which accesses it at byte offset 40. [show details]
 1533    node = node_get_by_nickname(rp_nickname, 0);


 Thanks,

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14031#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs