#28202 closed defect (fixed)

Bad end-of-string check in get_next_token (CID various)

Reported by: nickm Owned by: nickm
Priority: Medium Milestone: Tor: 0.3.5.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 029-backport 033-backport 034-backport
Cc: coverity Actual Points:
Parent ID: Points:
Reviewer: dgoulet Sponsor:


There's a coverity warning about an overflow in test_parsecommmon. I think it is happening because of this code:

 *s + 16 >= eol

That's the wrong way to test for end-of-string, since C says that *s+16 is undefined behavior if the resulting pointer would be more than 1 off the end of the allocated byte array.

Child Tickets

Change History (5)

comment:1 Changed 14 months ago by nickm

Owner: set to nickm
Status: newaccepted

see branches:

Note that there is C pointer math here, along with ugly code and code movement that affected the merges.

I'd support refactoring this code entirely in the future but for now I think we can't, at least not in these releases.

comment:2 Changed 14 months ago by nickm

Status: acceptedneeds_review

comment:3 Changed 14 months ago by dgoulet

Reviewer: dgoulet
Status: needs_reviewmerge_ready

Travis is happy. All branches lgtm.

comment:4 Changed 14 months ago by nickm

Okay. I'll fuzz this for a while, and merge if nothing breaks.

comment:5 Changed 14 months ago by nickm

Resolution: fixed
Status: merge_readyclosed

merged to all supported branches!

Note: See TracTickets for help on using tickets.