Non-triggerable integer overflow in crypto_random_hostname()
char *
crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
const char *suffix)
...
randlen = min_rand_len + crypto_rand_int(max_rand_len - min_rand_len + 1);
...
rand_bytes_len = ((randlen*5)+7)/8;
if (rand_bytes_len % 5)
rand_bytes_len += 5 - (rand_bytes_len%5);
rand_bytes = tor_malloc(rand_bytes_len);
If randlen
overflows in rand_bytes_len = ((randlen*5)+7)/8;
we pass a negative value to tor_malloc()
.
I don't see this happening any time soon, since all the currently used crypto_random_hostname() arguments are very small, but it might be good to fix it for completeness.