[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify



#18296: Potential integer overflow and memory corruption in smartlist_heapify
-----------------------------+-----------------
     Reporter:  cypherpunks  |      Owner:
         Type:  defect       |     Status:  new
     Priority:  Medium       |  Milestone:
    Component:  Tor          |    Version:
     Severity:  Normal       |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |    Sponsor:
-----------------------------+-----------------
 The LEFT_CHILD/RIGHT_CHILD macros used in container.c::smartlist_heapify()
 can overflow.

 This can potentially result in using a negative array index in the
 smartlist memory block and writing to some out of bounds memory location.

 This is probably not currently exploitable, given the limited usage of
 smartlist_heapify. The places where it is used look hard to control for an
 attacker and the amount of memory required would likely be too much for
 Tor to be able to allocate.

 Tor should be built with ftrapv. Ticket 17983 looks like a bad idea.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18296>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs