[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #2331 [Tor Relay]: Possible integer overflows in base32_encode, base32_decode
#2331: Possible integer overflows in base32_encode, base32_decode
-----------------------+----------------------------------------------------
Reporter: rransom | Owner:
Type: defect | Status: new
Priority: critical | Milestone: Tor: 0.2.1.x-final
Component: Tor Relay | Version:
Keywords: easy | Parent:
-----------------------+----------------------------------------------------
doors reports that the loop-termination comparisons in `base32_encode` and
`base32_decode` compare indices of type `unsigned int` with bounds of type
`size_t`. The loops will never terminate if the upper bounds are greater
than `UINT_MAX`.
I see two other, more direct integer overflows in those functions:
In `base32_encode`:
{{{
size_t nbits = srclen * 8;
}}}
In `base32_decode`:
{{{
size_t nbits;
...
nbits = srclen * 5;
}}}
In both functions, `srclen` is a parameter of type `size_t`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2331>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs