[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #9928 [Tor]: off-by-one in buffer length check in format_helper_exit_status

Subject: [tor-bugs] #9928 [Tor]: off-by-one in buffer length check in format_helper_exit_status
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 08 Oct 2013 15:06:30 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 08 Oct 2013 11:06:43 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#9928: off-by-one in buffer length check in format_helper_exit_status
-------------------------------------+------------------------------------
 Reporter:  nickm                    |          Owner:
     Type:  defect                   |         Status:  new
 Priority:  normal                   |      Milestone:  Tor: 0.2.4.x-final
Component:  Tor                      |        Version:
 Keywords:  023-backport tor-client  |  Actual Points:
Parent ID:                           |         Points:
-------------------------------------+------------------------------------
 {{{

 I think there is a small buffer overflow (off by one) in the current
 stable
 version of tor.

 The function in question is format_helper_exit_status, which returns a
 formatted hex string. It is in common/util.c, starting at line 3270.
 The function has a comment header that explains how it works. It
 specifically says it returns a string that is not null terminated, but
 instead terminates with a newline.

 The code checks periodically throughout the function whether it has
 written
 more bytes than it should. If it does, it errors out and writes a null
 character in the current character positions. This by itself can lead to a
 buffer overflow, but I believe the checks ensure that it almost never
 writes over the buffer size - except in one case.

 After it has finished everything, it then checks again if there are more
 than 0 bytes left in the buffer. If there are, it writes two characters -
 a
 newline and a null terminator (lines 3342 to 3347).

 The problem here is if the buffer only has one byte left, an off by one
 overflow occurs. These usually are very hard to exploit, but can be a
 security issue nonetheless.

 However given that I am not familiar with the tor codebase I might be
 wrong? I also did a quick security audit on the rest of the tor code and
 couldn't find anything else. I was inspire because of the recent events...

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9928>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #9928 [Tor]: off-by-one in buffer length check in format_helper_exit_status
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #9928 [Tor]: off-by-one in buffer length check in format_helper_exit_status
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #9928 [Tor]: off-by-one in buffer length check in format_helper_exit_status
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #9928 [Tor]: off-by-one in buffer length check in format_helper_exit_status
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #9928 [Tor]: off-by-one in buffer length check in format_helper_exit_status
  - From: Tor Bug Tracker & Wiki

Prev by Author: [tor-bugs] #9927 [Tor]: Clients that use microdescriptors don't emit descriptor-fetching bootstrap events
Next by Author: Re: [tor-bugs] #9913 [Atlas]: Explain relay flags in detail view using tooltips
Previous by thread: Re: [tor-bugs] #9927 [Tor]: Clients that use microdescriptors don't emit descriptor-fetching bootstrap events
Next by thread: Re: [tor-bugs] #9928 [Tor]: off-by-one in buffer length check in format_helper_exit_status
Index(es):
- Author
- Thread