ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable
Found a minor buffer overflow when running live relay with 'tor' and 'openssl' both compiled with AddressSanitizer.
tortls.c:1492: unsigned char cipherid[2];
should be three characters and the final byte initialized to zero for
ssl2_get_cipher_by_char()
to function correctly and to avoid an ASan access exception.
Tested patch that resolves this issue is attached.
Compiled with gcc 4.8.1 and with these added options:
tor-0.2.4.22
-O1 # instead of -O2 -fsanitize=address -fno-omit-frame-pointer
openssl-1.0.1h
-fstack-protector-all
--param ssp-buffer-size=1
-fsanitize=address
-fno-omit-frame-pointer
-DOPENSSL_NO_BUF_FREELIST