[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
#18296: Potential integer overflow and memory corruption in smartlist_heapify
-------------------------+------------------------------------
Reporter: cypherpunks | Owner: nickm
Type: defect | Status: needs_review
Priority: Medium | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+------------------------------------
Comment (by teor):
Replying to [comment:8 nickm]:
> Branch `bug18296` has a simple-ish fix for this. Is it right?
This check avoids overflow, but only once we get to the end of the list.
If it's a long list, that could take a while.
I wonder if we should just check `smartlist_len() <= (INT_MAX/2 - 2)`
instead?
Also, should we tor_assert() rather than returning?
The resultant heap is not valid, and might cause more subtle issues later
on.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18296#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs