Opened 5 weeks ago

Last modified 5 weeks ago

#23291 needs_review defect

unintentional undefined behaviore in test-memwipe.c

Reported by: nickm Owned by:
Priority: Medium Milestone: Tor: 0.3.0.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 028-backport 029-backport 030-backport
Cc: snoek Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

While working on #22839, snoek found a bug in test-memwipe.c:

The last test, test_memwipe, segfaulted. This only happened with Rust built in. It turns out this was caused by the uninitialized buf in check_heap_buffer being smaller than the mem addresses being scanned. I know we're doing some dirty stuff there, but I don't think trying to read past the length of the buffer was intended. At least to me it seems fair enough for the program to segfault. I put in the obvious fix, which might be horribly wrong.

It looks fine to me, so I'm going to give it a bug number and backport it.

Child Tickets

Change History (1)

comment:1 Changed 5 weeks ago by nickm

Keywords: 028-backport 029-backport 030-backport added
Milestone: Tor: 0.2.9.x-finalTor: 0.3.0.x-final
Status: newneeds_review

I've cherry-picked the patch into a new branch with a changes file, as bug23291_028 in my public repository. I'm merging it to 0.3.1 and forward, but maybe we want to backport it more?

Note: See TracTickets for help on using tickets.