[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #2352 [Tor Client]: more size_t_ceiling fun



#2352: more size_t_ceiling fun
------------------------+---------------------------------------------------
 Reporter:  arma        |       Owner:     
     Type:  defect      |      Status:  new
 Priority:  normal      |   Milestone:     
Component:  Tor Client  |     Version:     
 Keywords:              |      Parent:     
------------------------+---------------------------------------------------
 {{{
 <doorss> need to replace "if (tok->object_size >= INT_MAX) {"
 <doorss> with "if (tok->object_size >= SIZE_T_CEILING || tok->object_size
 >= INT_MAX) {"
 <doorss> for two places.
 <doorss> if it can be >= INT_MAX it can be INT_MAX - 1 too.
 <doorss> "tok->object_body = ALLOC(next-*s); /* really, this is too much
 RAM. */" is fragile too. no checks, utill assert.

 > doorss: which branch are you looking at?
 <doorss> it was master.

 <doorss> "if (tok->object_size >= INT_MAX)" mostly about cast to int. but
 if size can be such big (no assert here) so need to check for
 SIZE_T_CEILING.
 <doorss> it prevents overflow underflow and another truncates during
 "sig->signature_len = (int) tok->object_size"
 <doorss> SIZE_T_CEILING < INT_MAX for 32bit size_t
 <doorss> if tok->object_size == INT_MAX - 1 then "sig->signature =
 tor_memdup(tok->object_body, tok->object_size)" trigger assert for 32 bit.
 <doorss> we can't just replace INT_MAX with SIZE_T_CEILING. for 64 bit.
 }}}

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2352>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs