[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #21894 [Core Tor/Tor]: Base32_encode: *actually* allow inputs of odd sizes



#21894: Base32_encode: *actually* allow inputs of odd sizes
------------------------------+---------------------------------------
     Reporter:  nickm         |      Owner:
         Type:  defect        |     Status:  new
     Priority:  High          |  Milestone:  Tor: 0.3.1.x-final
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  029-backport 030-backport
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+---------------------------------------
 When we "fixed" #18280 in 4e4a7d2b0c199227252a742541461ec4cc35d358 in 0291
 it appears that we introduced a bug: The base32_encode function can read
 off the end of the input buffer, if the input buffer size modulo 5 is not
 equal to 0 or 3.

 This is not ''completely'' horrible, for two reasons:
    * The extra bits that are read are never actually used: so this is only
 a crash when asan is enabled, in the worst case.
    * The input sizes passed to base32_encode are only ever multiples of 5.
 They are all either DIGEST_LEN (20), REND_SERVICE_ID_LEN (10),
 sizeof(rand_bytes) in addressmap.c (10), or an input in crypto.c that is
 forced to a multiple of 5.  So this bug can't actually trigger.

 Nonetheless, let's fix it!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21894>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs