[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify

Subject: Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 18 Feb 2016 02:06:34 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 17 Feb 2016 21:06:43 -0500
In-reply-to: <051.44cef5ca8077d50b41cca2b13a5bdb40@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.44cef5ca8077d50b41cca2b13a5bdb40@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#18296: Potential integer overflow and memory corruption in smartlist_heapify
-------------------------+------------------------------------
 Reporter:  cypherpunks  |          Owner:  nickm
     Type:  defect       |         Status:  needs_review
 Priority:  Medium       |      Milestone:  Tor: 0.2.8.x-final
Component:  Tor          |        Version:
 Severity:  Normal       |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
-------------------------+------------------------------------

Comment (by nickm):

 Have another look at the algorithm?  It starts with an idx that possibly
 violates the heap property by being larger than one or both of its
 children.  If it does, it swaps a child into the current idx, and then
 looks to see whether the heap property is now violated at the child's old
 position.  If HAS_CHILDREN(idx) is false, it is impossible for idx to have
 a pair of children -- though hm, when I wake up I should see whether it
 can have only a single child.

 Note also that idx is monotonically increasing here, and it approximately
 doubles each time through the loop.  So at worse we're doing a small
 number of iterations.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18296#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #15937 [Tor]: Clients fail on the 7th rapid SOCKS request to the same HS
Next by Author: [tor-bugs] #18333 [Tor Browser]: Upgrade go to 1.6
Previous by thread: Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
Next by thread: Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
Index(es):
- Author
- Thread