[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #20894 [Core Tor/Tor]: Resolve read-off-end-of-buffer on atoi in fetch_from_buf_http (TROVE-2016-10-001) (was: Fix known instance of TROVE-2016-10-001)

Subject: Re: [tor-bugs] #20894 [Core Tor/Tor]: Resolve read-off-end-of-buffer on atoi in fetch_from_buf_http (TROVE-2016-10-001) (was: Fix known instance of TROVE-2016-10-001)
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 09 Feb 2017 20:42:14 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 09 Feb 2017 15:42:23 -0500
In-reply-to: <044.d6c90ef4937974137e82be61c9cb71a4@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <044.d6c90ef4937974137e82be61c9cb71a4@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#20894: Resolve read-off-end-of-buffer on atoi in fetch_from_buf_http
(TROVE-2016-10-001)
---------------------------------------+-----------------------------------
 Reporter:  teor                       |          Owner:  nickm
     Type:  defect                     |         Status:  assigned
 Priority:  Medium                     |      Milestone:  Tor:
                                       |  0.3.0.x-final
Component:  Core Tor/Tor               |        Version:  Tor: unspecified
 Severity:  Normal                     |     Resolution:
 Keywords:  tor-03-unspecified-201612  |  Actual Points:
Parent ID:                             |         Points:  0.5
 Reviewer:                             |        Sponsor:
---------------------------------------+-----------------------------------

Comment (by nickm):

 The problem was the atoi() in fetch_from_buf_http: it's entirely too happy
 to read off the end of a buf if there is no subsequent '\n' in the same
 chunk as the "content-length".

 We fixed this with the patch for #20384, where we made sure that every buf
 chunk was NUL-terminated, but we really ought to fix the underlying issue
 too.

 I have an overcomplicated patch in bug20894_024.  Probably it should use
 tor_parse_uint64 instead of atoi.  But the part that I really dislike is
 the hunt-for-the-newline-and-copy-the-header part -- it's overcomplicated
 and more than a little bit zany.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20894#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: [tor-bugs] #21364 [Metrics/Atlas]: Remove flag label from tooltips
Next by Author: Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information
Previous by thread: Re: [tor-bugs] #18113 [Applications/Tor Launcher]: Dynamically allocate clients to default Tor Browser bridges of a certain type
Next by thread: [tor-bugs] #21427 [Metrics/Onionoo]: allow to filter for tor_version
Index(es):
- Author
- Thread