[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #10313 [Tor]: or/channeltls.c Pointer Overflow Leads To Undefined Behavior, No Error Handling
#10313: or/channeltls.c Pointer Overflow Leads To Undefined Behavior, No Error
Handling
-------------------------+-------------------------------------------------
Reporter: | Owner:
jaredlwong | Status: new
Type: defect | Milestone: Tor: 0.2.5.x-final
Priority: normal | Version: Tor: unspecified
Component: Tor | Keywords: pointer overflow undefined behavior
Resolution: | 024-backport
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Comment (by nickm):
Fortunately, the check is in fact never going to get needed, as discussed
in #9980: my_addr_len is set with
{{{
my_addr_len = (uint8_t) cell->payload[5];
}}}
and so it can never be greater than 255. CELL_PAYLOAD_SIZE is 509, so
my_addr_len can never be greater than CELL_PAYLOAD_SIZE - 6. The whole
check is unnecessary.
That said, I'm applying this smaller fix, with a comment.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10313#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs