Opened 10 years ago

Closed 10 years ago

Last modified 8 years ago

#2326 closed defect (fixed)

carefully crafted cache file sizes can trigger assert

Reported by: arma Owned by:
Priority: High Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords: tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


In read_file_to_str() we do

  if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_CEILING)
    return NULL;

  string = tor_malloc((size_t)(statbuf.st_size+1));

So a remote attacker who can give you a combination of cached blobs such that one of your files becomes exactly SIZE_T_CEILING bytes (just 2 gigs on a 32 bit platform) could cause your Tor to consistently assert on start.

The fix is to check >= instead of >.

Reported by doors.

Child Tickets

Change History (4)

comment:1 Changed 10 years ago by nickm

Resolution: fixed
Status: newclosed

fix merged; thanks!

comment:2 Changed 8 years ago by nickm

Keywords: tor-relay added

comment:3 Changed 8 years ago by nickm

Component: Tor RelayTor

comment:4 Changed 8 years ago by nickm

Milestone: Tor: 0.2.1.x-final

Milestone Tor: 0.2.1.x-final deleted

Note: See TracTickets for help on using tickets.