[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #14031 [Tor]: use after freed
#14031: use after freed
----------------------------+--------------------------------
Reporter: MegaManSec | Owner:
Type: defect | Status: needs_information
Priority: minor | Milestone: Tor: 0.2.6.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-tests
Actual Points: | Parent ID:
Points: |
----------------------------+--------------------------------
Comment (by MegaManSec):
Cool, thanks.
How about this?:
rendservice.c
5. alias: Assigning: rp_nickname = intro->u.v0.rp. rp_nickname now points
to byte 0 of intro->u.v0.rp (which consists of 20 bytes).
1531 else rp_nickname = (const char *)(intro->u.v0.rp);
CID 12172 (#1 of 1): Out-of-bounds access (OVERRUN)6. overrun-buffer-val:
Overrunning buffer pointed to by rp_nickname of 20 bytes by passing it to
a function which accesses it at byte offset 40. [show details]
1533 node = node_get_by_nickname(rp_nickname, 0);
Thanks,
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14031#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs