[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #12227 [Tor]: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable
#12227: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable
---------------------------+-------------------------------------
Reporter: starlight | Owner:
Type: defect | Status: needs_review
Priority: normal | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version: Tor: 0.2.4.22
Resolution: | Keywords: tor-client 024-backport
Actual Points: | Parent ID:
Points: |
---------------------------+-------------------------------------
Changes (by nickm):
* status: new => needs_review
* keywords: => tor-client 024-backport
* milestone: => Tor: 0.2.5.x-final
Comment:
The SSLv23_method() call is later modified by the SSL_OP_NO_SSLv2 flag.
As for the patch, why can't it just be:
{{{
diff --git a/src/common/tortls.c b/src/common/tortls.c
index a6444b8..05e0b50 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1477,10 +1477,11 @@ prune_v2_cipher_list(void)
inp = outp = v2_cipher_list;
while (*inp) {
- unsigned char cipherid[2];
+ unsigned char cipherid[3];
const SSL_CIPHER *cipher;
/* Is there no better way to do this? */
set_uint16(cipherid, htons(*inp));
+ cipherid[3] = 0;
cipher = m->get_cipher_by_char(cipherid);
if (cipher) {
tor_assert((cipher->id & 0xffff) == *inp);
}}}
?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12227#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs