[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #2331 [Tor Relay]: Possible integer overflows in base32_encode, base32_decode



#2331: Possible integer overflows in base32_encode, base32_decode
-----------------------+----------------------------------------------------
 Reporter:  rransom    |       Owner:                    
     Type:  defect     |      Status:  new               
 Priority:  critical   |   Milestone:  Tor: 0.2.1.x-final
Component:  Tor Relay  |     Version:                    
 Keywords:  easy       |      Parent:                    
-----------------------+----------------------------------------------------
 doors reports that the loop-termination comparisons in `base32_encode` and
 `base32_decode` compare indices of type `unsigned int` with bounds of type
 `size_t`.  The loops will never terminate if the upper bounds are greater
 than `UINT_MAX`.


 I see two other, more direct integer overflows in those functions:

 In `base32_encode`:
 {{{
 size_t nbits = srclen * 8;
 }}}

 In `base32_decode`:
 {{{
 size_t nbits;
 ...
 nbits = srclen * 5;
 }}}

 In both functions, `srclen` is a parameter of type `size_t`.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2331>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs