[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #19150 [Core Tor/Tor]: Pointer overflow in memarea_alloc()
#19150: Pointer overflow in memarea_alloc()
------------------------------+---------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor | Version: Tor: 0.2.1.10-alpha
Severity: Normal | Keywords: TorCoreTeam201605
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+---------------------------------
There is a pointer overflow in `memarea_alloc()`:
{{{
if (chunk->next_mem+sz > chunk->U_MEM+chunk->mem_size) {
}}}
It does not seem to be RCE exploitable, since in all places in
`routerparse.c` where memareas are used, we restrict the input size to
128kb or so (through `MAX_LINE_LENGTH` and `MAX_UNPARSED_OBJECT_SIZE`).
However, we should still fix this to plug any DoS threats and for future
code correctness.
The bug was found by Guido Vranken through the hackerone bug bounty
program.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19150>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs