#21018 closed defect (fixed)

TROVE-2016-12-002: read one byte past end of buffer in get_token()

Reported by: nickm Owned by: nickm
Priority: Medium Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 024-backport 025-backport 026-backport 027-backport
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Grabbing a ticket for this issue. Severity ranked as "low" or "medium", depending on how the analysis goes.

Child Tickets

Change History (4)

comment:1 Changed 10 months ago by nickm

Owner: set to nickm
Status: newaccepted

comment:2 Changed 10 months ago by nickm

My branch bug21018_024 has the fix. From the changes file:

+    - Fix a bug in parsing that could cause clients to read a single
+      byte past the end of an allocated region. This bug could be
+      used to cause hardened clients (built with
+      --enable-expensive-hardening) to crash if they tried to visit
+      a hostile hidden service.  Non-hardened clients are only
+      affected depending on the details of their platform's memory
+      allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by
+      using libFuzzer. Also tracked as TROVE-2016-12-002 and as
+      CVE-2016-1254.

comment:3 Changed 10 months ago by nickm

Keywords: 024-backport 025-backport 026-backport 027-backport added
Status: acceptedneeds_review

Merged to 0.2.8 and forward.

comment:4 Changed 10 months ago by nickm

Resolution: fixed
Status: needs_reviewclosed
Summary: TROVE-2016-12-002TROVE-2016-12-002: read one byte past end of buffer in get_token()

Fix backported to 0.2.4 and forward.

Note: See TracTickets for help on using tickets.