[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #8037 [- Select a component]: Specialy crafter microdesc could trigger to flush up to 16MB uninited heap allocated memory to media
#8037: Specialy crafter microdesc could trigger to flush up to 16MB uninited heap
allocated memory to media
----------------------------------+-----------------------------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: - Select a component | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
microdescs_parse_from_string() and so on func do not count string as null
terminated and allows to process "string" with zero byte in middle.
md->body = tor_strndup(cp, md->bodylen) duplicate only partial of such
string. dump_microdescriptor() flushes all bodylen of md's body to disk.
Specially crafted bytes append to valid md sent by directory cache could
lead to flush up to 16MB of memory data to media. Tor tries to clear
sensitive data on free(), but some non cleared memory still no need to
write in plain text to media.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8037>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs