[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #17404 [Tor]: dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of a string.

Subject: [tor-bugs] #17404 [Tor]: dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of a string.
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 21 Oct 2015 15:39:35 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 21 Oct 2015 11:39:43 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#17404: dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of
a string.
-------------------------+-------------------------------------------------
     Reporter:  nickm    |      Owner:
         Type:  defect   |     Status:  new
     Priority:  Very     |  Milestone:  Tor: 0.2.7.x-final
  High                   |    Version:
    Component:  Tor      |   Keywords:  024-backport 026-backport
     Severity:  Major    |  025-backport
Actual Points:           |  Parent ID:
       Points:           |    Sponsor:
-------------------------+-------------------------------------------------
 dn_indicates_v3_cert() does this:
 {{{
   len = ASN1_STRING_to_UTF8(&s, str);
   if (len < 0) {
     return 0;
   }
   r = fast_memneq(s + len - 4, ".net", 4);
 }}}

 Note that if the len < 4, we read bytes from a malloc header, which isn't
 a good thing at all.

 In practice, I don't think this should cause crashes or security failures,
 unless somebody is using a very weird malloc, or unless somebody has a
 hardened installation that detects this kind of invalid check.

 Still, this is a must-fix.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17404>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #17404 [Tor]: dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of a string.
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #17404 [Tor]: dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of a string.
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #17404 [Tor]: dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of a string.
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #17403 [Tor]: Memory leak when reading an expired signing key.
Next by Author: Re: [tor-bugs] #17404 [Tor]: dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of a string.
Previous by thread: Re: [tor-bugs] #17403 [Tor]: Memory leak when reading an expired signing key.
Next by thread: Re: [tor-bugs] #17404 [Tor]: dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of a string.
Index(es):
- Author
- Thread