[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #2320 [Tor Client]: var_cell_t with payload_len 0 risky

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #2320 [Tor Client]: var_cell_t with payload_len 0 risky
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Wed, 05 Jan 2011 22:06:27 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 05 Jan 2011 17:06:37 -0500
In-reply-to: <044.111eb78fc00e0afb3c39f0a816f6b25b@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bugs reporting list for trac <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <044.111eb78fc00e0afb3c39f0a816f6b25b@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#2320: var_cell_t with payload_len 0 risky
------------------------+---------------------------------------------------
 Reporter:  arma        |       Owner:                    
     Type:  defect      |      Status:  new               
 Priority:  normal      |   Milestone:  Tor: 0.2.2.x-final
Component:  Tor Client  |     Version:                    
 Keywords:              |      Parent:                    
------------------------+---------------------------------------------------

Comment(by nickm):

 I'm not sure there's a bug here.  If the cell length is 0,
 var_cell->payload[0] will not exist... but that's no surprise.  Similarly,
 if the cell length is 50, then var_cell->payload[50] will not exist.  It
 is an error to refer to any var_cell->payload[i] unless i <
 var_cell->payload_len.   If we have any code that looks at any part of
 var_cell->payload without checking that payload_len is large enough, that
 code is simply broken.

 In fact, we could go one better and allocate _fewer_ bytes if it turns out
 that var_cell is padded: instead of saying
 {{{
 sizeof(var_cell_t)+payload_len-1
 }}}
  we could instead say
 {{{
 STRUCT_OFFSET(var_cell_t, payload[payload_len])
 }}}

 Also, evbuffer_remove(x, junk, 0) is safe.

 So am I wrong, or is there a residual problem here?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2320#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #2230 [Tor Relay]: microdescs never purged from authority cache
Next by Author: [tor-bugs] #2353 [Tor Weather]: Tor Weather should speciy a node's nicnkname when sending emails
Previous by thread: Re: [tor-bugs] #2230 [Tor Relay]: microdescs never purged from authority cache
Next by thread: Re: [tor-bugs] #2320 [Tor Client]: var_cell_t with payload_len 0 risky
Index(es):
- Author
- Thread