[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #21553 [Core Tor/Tor]: hs: bad use of sizeof() in encode_establish_intro_cell_legacy

Subject: [tor-bugs] #21553 [Core Tor/Tor]: hs: bad use of sizeof() in encode_establish_intro_cell_legacy
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 24 Feb 2017 13:34:17 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 24 Feb 2017 08:34:27 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#21553: hs: bad use of sizeof() in encode_establish_intro_cell_legacy
------------------------------+----------------------------------
     Reporter:  dgoulet       |      Owner:
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.3.1.x-final
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  030-backport, tor-hs
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+----------------------------------
 Found by clang analysis:

 {{{
   r = crypto_pk_private_sign_digest(intro_key, cell_body_out+len,
                                     sizeof(cell_body_out)-len,
                                     cell_body_out, len);
 }}}

 The `sizeof()` here is wrong because `cell_body_out` is a pointer.
 However, we've been saved by the fact that this length is *not* used by
 the `crypto_pk_private_sign_digest()` call except for an assert.

 This was introduced by a refactoring which went from having the body on
 the stack to a pointer as a function parameter.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21553>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #21553 [Core Tor/Tor]: hs: bad use of sizeof() in encode_establish_intro_cell_legacy
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #21553 [Core Tor/Tor]: hs: bad use of sizeof() in encode_establish_intro_cell_legacy
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #19711 [Core Tor/Tor]: circuit_package_relay_cell(): Bug: outgoing relay cell sent from src/or/relay.c:701 has n_chan==NULL. Dropping. (on Tor 0.2.8.5-rc )
Next by Author: Re: [tor-bugs] #21467 [Core Tor/Chutney]: Make chutney work with relative paths
Previous by thread: Re: [tor-bugs] #7144 [Core Tor/Tor]: Implement Bridge Guards and other anti-enumeration defenses
Next by thread: Re: [tor-bugs] #21553 [Core Tor/Tor]: hs: bad use of sizeof() in encode_establish_intro_cell_legacy
Index(es):
- Author
- Thread