Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#2326 closed defect (fixed)

carefully crafted cache file sizes can trigger assert

Reported by: arma Owned by:
Priority: High Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords: tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


In read_file_to_str() we do

  if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_CEILING)
    return NULL;

  string = tor_malloc((size_t)(statbuf.st_size+1));

So a remote attacker who can give you a combination of cached blobs such that one of your files becomes exactly SIZE_T_CEILING bytes (just 2 gigs on a 32 bit platform) could cause your Tor to consistently assert on start.

The fix is to check >= instead of >.

Reported by doors.

Child Tickets

Change History (4)

comment:1 Changed 6 years ago by nickm

  • Resolution set to fixed
  • Status changed from new to closed

fix merged; thanks!

comment:2 Changed 5 years ago by nickm

  • Keywords tor-relay added

comment:3 Changed 5 years ago by nickm

  • Component changed from Tor Relay to Tor

comment:4 Changed 4 years ago by nickm

  • Milestone Tor: 0.2.1.x-final deleted

Milestone Tor: 0.2.1.x-final deleted

Note: See TracTickets for help on using tickets.