[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor/maint-0.4.2] Prevent UB on signed overflow.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [tor/maint-0.4.2] Prevent UB on signed overflow.
From: teor@xxxxxxxxxxxxxx
Date: Tue, 22 Oct 2019 22:49:46 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 22 Oct 2019 19:00:36 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit 0d4a689d3ae8f7e05b3baf8ad71d983a767ef55b
Author: Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx>
Date:   Mon Jun 24 22:08:49 2019 +0200

    Prevent UB on signed overflow.
    
    Overflowing a signed integer in C is an undefined behaviour.
    It is possible to trigger this undefined behaviour in tor_asprintf on
    Windows or systems lacking vasprintf.
    
    On these systems, eiter _vscprintf or vsnprintf is called to retrieve
    the required amount of bytes to hold the string. These functions can
    return INT_MAX. The easiest way to recreate this is the use of a
    specially crafted configuration file, e.g. containing the line:
    
    FirewallPorts AAAAA<in total 2147483610 As>
    
    This line triggers the needed tor_asprintf call which eventually
    leads to an INT_MAX return value from _vscprintf or vsnprintf.
    
    The needed byte for \0 is added to the result, triggering the
    overflow and therefore the undefined behaviour.
    
    Casting the value to size_t before addition fixes the behaviour.
    
    Signed-off-by: Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx>
---
 src/common/compat.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/common/compat.c b/src/common/compat.c
index 975875112..6f7ac7bd7 100644
--- a/src/common/compat.c
+++ b/src/common/compat.c
@@ -540,8 +540,8 @@ tor_vasprintf(char **strp, const char *fmt, va_list args)
     *strp = NULL;
     return -1;
   }
-  strp_tmp = tor_malloc(len + 1);
-  r = _vsnprintf(strp_tmp, len+1, fmt, args);
+  strp_tmp = tor_malloc((size_t)len + 1);
+  r = _vsnprintf(strp_tmp, (size_t)len+1, fmt, args);
   if (r != len) {
     tor_free(strp_tmp);
     *strp = NULL;
@@ -566,9 +566,9 @@ tor_vasprintf(char **strp, const char *fmt, va_list args)
     *strp = tor_strdup(buf);
     return len;
   }
-  strp_tmp = tor_malloc(len+1);
+  strp_tmp = tor_malloc((size_t)len+1);
   /* use of tor_vsnprintf() will ensure string is null terminated */
-  r = tor_vsnprintf(strp_tmp, len+1, fmt, args);
+  r = tor_vsnprintf(strp_tmp, (size_t)len+1, fmt, args);
   if (r != len) {
     tor_free(strp_tmp);
     *strp = NULL;
@@ -3543,4 +3543,3 @@ tor_get_avail_disk_space(const char *path)
   return -1;
 #endif
 }
-



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [tor/release-0.4.1] Merge branch 'maint-0.3.5' into maint-0.4.0
Next by Author: [tor-commits] [tor/release-0.3.5] hs: Always use a 3-hop path when a v3 single onion intro fails
Previous by thread: [tor-commits] [tor/maint-0.4.1] Merge remote-tracking branch 'tor-github/pr/1351' into maint-0.2.9
Next by thread: [tor-commits] [tor/maint-0.4.2] clarify in man page: we count by powers of two
Index(es):
- Author
- Thread