[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #18162 [Tor]: Potential heap corruption in smartlist_add(), smartlist_insert()
#18162: Potential heap corruption in smartlist_add(), smartlist_insert()
-------------------------------------------------+-------------------------
Reporter: asn | Owner: nickm
Type: defect | Status:
Priority: High | needs_review
Component: Tor | Milestone: Tor:
Severity: Normal | 0.2.8.x-final
Keywords: tor-bug-bounty security | Version:
025-backport 026-backport 027-backport | Resolution:
024-backport | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------------------------------+-------------------------
Comment (by asn):
Looking at `bug18162_024`:
{{{
- if (size > sl->capacity) {
- int higher = sl->capacity;
+ tor_assert(size <= MAX_CAPACITY);
}}}
can't this assert be triggered by an attacker who can fill up smartlists?
For example `smartlist_add()` does
{{{
- smartlist_ensure_capacity(sl, sl->num_used+1);
+ smartlist_ensure_capacity(sl, ((size_t) sl->num_used)+1);
}}}
what if `sl->num_used` is MAX_CAPACITY at that point?
Or is that assert just there to stop the heap corruption, assuming we will
never need so many elements in a smartlist?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18162#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs