Opened 4 years ago

Closed 4 years ago

Last modified 2 years ago

#2326 closed defect (fixed)

carefully crafted cache file sizes can trigger assert

Reported by: arma Owned by:
Priority: major Milestone:
Component: Tor Version:
Keywords: tor-relay Cc:
Actual Points: Parent ID:


In read_file_to_str() we do

  if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_CEILING)
    return NULL;

  string = tor_malloc((size_t)(statbuf.st_size+1));

So a remote attacker who can give you a combination of cached blobs such that one of your files becomes exactly SIZE_T_CEILING bytes (just 2 gigs on a 32 bit platform) could cause your Tor to consistently assert on start.

The fix is to check >= instead of >.

Reported by doors.

Child Tickets

Change History (4)

comment:1 Changed 4 years ago by nickm

  • Resolution set to fixed
  • Status changed from new to closed

fix merged; thanks!

comment:2 Changed 2 years ago by nickm

  • Keywords tor-relay added

comment:3 Changed 2 years ago by nickm

  • Component changed from Tor Relay to Tor

comment:4 Changed 2 years ago by nickm

  • Milestone Tor: 0.2.1.x-final deleted

Milestone Tor: 0.2.1.x-final deleted

Note: See TracTickets for help on using tickets.