[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #10313 [Tor]: or/channeltls.c Pointer Overflow Leads To Undefined Behavior, No Error Handling



#10313: or/channeltls.c Pointer Overflow Leads To Undefined Behavior, No Error
Handling
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:
  jaredlwong             |     Status:  new
         Type:  defect   |  Milestone:  Tor: 0.2.5.x-final
     Priority:  normal   |    Version:  Tor: unspecified
    Component:  Tor      |   Keywords:  pointer overflow undefined behavior
   Resolution:           |  024-backport
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by nickm):

 Fortunately, the check is in fact never going to get needed, as discussed
 in #9980:  my_addr_len is set with
 {{{
   my_addr_len = (uint8_t) cell->payload[5];
 }}}
 and so it can never be greater than 255.  CELL_PAYLOAD_SIZE is 509, so
 my_addr_len can never be greater than CELL_PAYLOAD_SIZE - 6. The whole
 check is unnecessary.

 That said, I'm applying this smaller fix, with a comment.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10313#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs