Opened 4 years ago

Closed 3 years ago

#17475 closed defect (fixed)

Overflow when parsing config lines with many arguments

Reported by: junglefowl Owned by: dgoulet
Priority: Medium Milestone:
Component: Core Tor/Torsocks Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It is possible to overflow tokens with a configuration that contains many
arguments in one line.

At first, the upper limit is specified as sizeof(tokens), which is
wrong. It has to be DEFAULT_MAX_CONF_TOKEN or sizeof(tokens) /
sizeof(tokens[0]). The former is shorter, therefor I took that one.

The next issue is in utils_tokenize_ignore_comments, which verifies that
enough space is available only with the ' ' separator. Later in the code,
'\t' is also allowed as a separator, which means that more arguments could
show up than previously taken into account during size checks.

This is an unlikely case, so the check will be done while parsing. When
the limit is reached, previously allocated memory is released again and
error value is returned.

Child Tickets

Attachments (1)

overflow.patch (2.7 KB) - added by junglefowl 4 years ago.

Download all attachments as: .zip

Change History (3)

Changed 4 years ago by junglefowl

Attachment: overflow.patch added

comment:1 Changed 3 years ago by dgoulet

Status: newaccepted

Accept a bunch of tickets for torsocks.

comment:2 Changed 3 years ago by dgoulet

Resolution: fixed
Status: acceptedclosed

Merged with slight modifications. Thanks!

Note: See TracTickets for help on using tickets.