[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()
#31001: Undefined behavior in tor_vasprintf()
-------------------------------------------------+-------------------------
Reporter: asn | Owner: (none)
Type: defect | Status:
| needs_revision
Priority: Medium | Milestone: Tor:
| 0.4.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: 041-must hackerone bug-bounty | Actual Points:
security-low unlikely-crash 029-backport |
035-backport 040-backport 041-backport |
Parent ID: | Points: 0.5
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by teor):
* status: needs_review => needs_revision
* keywords: 041-must hackerone bug-bounty =>
041-must hackerone bug-bounty security-low unlikely-crash 029-backport
035-backport 040-backport 041-backport
* points: => 0.5
Comment:
This patch makes sense to me, and it passes CI.
I'm marking it as security-low, because most common compilers don't
aggressively optimise signed overflow in this context.
(If they did, this code could introduce some nasty bugs in tor.)
So the negative value will be converted to size_t by adding SIZE_T_MAX.
On 32-bit systems, that's the correct value, on 64-bit systems, that's
UINT64_MAX - INT32_MIN, which will fail to malloc and crash.
Fortunately, most of Tor's parsers have document size limits that are much
lower than 2GB.
But we still need to backport this fix to compact.c in 0.2.9, and then
merge forward.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31001#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs