[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Fwd: [rt.torproject.org #14731] Off by one buffer overflow in tor stable

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-dev] Fwd: [rt.torproject.org #14731] Off by one buffer overflow in tor stable
From: Pedro Ribeiro <pedrib@xxxxxxxxx>
Date: Mon, 7 Oct 2013 22:55:43 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 07 Oct 2013 17:55:59 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=CHWGdFCeUBnPvhxHruvt34vWDtslNqnBietmGyx1Xqg=; b=lntYZFkx1bovDZUn2JHDZafb2OxUCEKw5f7X7Ek79tKw4Uoru0VfNiTm3x+1qaUQNZ 6rpasl8M5CKmssA9ipFk+dEfTZQ58zCY2LU4UcVo/acI5hV63Ya6gjCMaXCt3ZITnvkT tnAe8iecHDYcCM13zZp2pnE40f1lIiRJiBfhQWwY44JfZFgf7WklX7X1DudtqAYj/Eb8 U4YNk56xKXdUNq18n6shoOawCLISzH9EYt3hozTsqZVdbUc4Bj04LFqT7/pSTQZv0Cft QrCBdBnir+dM8mjRypjp+EeX4htynWKCkBm/MhtsO46dmsJdFTbO9mAdS74krh6BD2tu zGww==
In-reply-to: <rt-4.0.7-6363-1381152313-776.14731-6-0@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <RT-Ticket-14731@xxxxxxxxxxxxxx> <CAEDdjHd8HvzMDQ2Q+_p-G5pkmpbcPJ2W2F=Sfb1rrYDVSrf2eQ@xxxxxxxxxxxxxx> <rt-4.0.7-6363-1381152313-776.14731-6-0@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

---------- Forwarded message ----------
From: Colin Childs via RT <help@xxxxxxxxxxxxxxxxx>
Date: 7 October 2013 14:25
Subject: [rt.torproject.org #14731] Off by one buffer overflow in tor stable
To: pedrib@xxxxxxxxx


On Mon Oct 07 12:13:21 2013, pedrib@xxxxxxxxx wrote:
> Hi,
>
> I think there is a small buffer overflow (off by one) in the current stable
> version of tor.
> The function in question is format_helper_exit_status, which returns a
> formatted hex string. It is in common/util.c, starting at line 3270.
> The function has a comment header that explains how it works. It
> specifically says it returns a string that is not null terminated, but
> instead terminates with a newline.
>
> The code checks periodically throughout the function whether it has written
> more bytes than it should. If it does, it errors out and writes a null
> character in the current character positions. This by itself can lead to a
> buffer overflow, but I believe the checks ensure that it almost never
> writes over the buffer size - except in one case.
>
> After it has finished everything, it then checks again if there are more
> than 0 bytes left in the buffer. If there are, it writes two characters - a
> newline and a null terminator (lines 3342 to 3347).
>
> The problem here is if the buffer only has one byte left, an off by one
> overflow occurs. These usually are very hard to exploit, but can be a
> security issue nonetheless.
>
> However given that I am not familiar with the tor codebase I might be
> wrong? I also did a quick security audit on the rest of the tor code and
> couldn't find anything else. I was inspire because of the recent events...
>
> Regards
> Pedro
Hello,

Please send a copy of this email to our tor-dev mailing list at
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev.

Thank you!

--
Colin C.

-------------------------------------------

Hi,

Please find above a bug report with possible security implications. I
was a bit weary of sending to a public list at first, but I doubt the
bug above is exploitable.

Regards
Pedro
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Fwd: [rt.torproject.org #14731] Off by one buffer overflow in tor stable
  - From: Nick Mathewson

Prev by Author: Re: [tor-dev] Hidden Service Scaling
Next by Author: Re: [tor-dev] Fwd: [rt.torproject.org #14731] Off by one buffer overflow in tor stable
Previous by thread: Re: [tor-dev] Attentive Otter: Analysis of xmpp-client
Next by thread: Re: [tor-dev] Fwd: [rt.torproject.org #14731] Off by one buffer overflow in tor stable
Index(es):
- Author
- Thread