[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #2324 [Tor Client]: realloc should check SIZE_T_CEILING too?



#2324: realloc should check SIZE_T_CEILING too?
------------------------+---------------------------------------------------
 Reporter:  arma        |       Owner:               
     Type:  defect      |      Status:  new          
 Priority:  normal      |   Milestone:               
Component:  Tor Client  |     Version:  Tor: 0.2.1.26
 Keywords:              |      Parent:               
------------------------+---------------------------------------------------
 Our recent code security fixes made malloc check
 {{{
   tor_assert(size < SIZE_T_CEILING);
 }}}

 but we didn't add a similar check to tor_realloc().

 Assuming we do add it, doors pointed out another gotcha:

 In tor_gzip_uncompress() we
 {{{
         *out = tor_realloc(*out, out_size);
         stream->next_out = (unsigned char*)(*out + offset);
         if (out_size - offset > UINT_MAX) {
           log_warn(LD_BUG,  "Ran over unsigned int limit of zlib while "
                    "uncompressing.");
           goto err;
         }
 }}}

 And since the largest compressed blob we'll accept is MAX_DIR_DL_SIZE
 (16MBish), a compress bomb (e.g. a consensus answer) could create a string
 that's more than SIZE_T_CEILING yet less than UINT_MAX, thus remotely
 triggering the assert in tor_realloc.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2324>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs