#5090 allows post-auth heap overflow
Robert Connolly from Matta Consulting reports that the config parsing bug in #5090 (moved) (which he found independently) is exploitable.
Examples for triggering it include
SETCONF aaaa="bbbbbbbbbbbb\x"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
and setting a torrc line of
ContactInfo "Here I \x"amaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
Fortunately, it looks like it can only be triggered once you've authenticated to the control port (in which case you can already screw the user) or if you can edit the torrc file (same). So it's not harmful.
Is that really true? Are there any other instances of the bug? Any other ways of reaching it? Does the different trust model for the control socket change the above paragraph?
Jake opened #5210 (moved) to avoid future things like this being exploitable in practice.
And Nick points out:
We ought to audit uses of get_escaped_string_length in control.c
nevertheless. It is a *PHENOMINALLY BAD IDEA* in C to have
independent functions that count the length of something and that
parse it. We should look for other cases of that antipattern too.
(This ticket started out as a secteam discussion, until we decided that it didn't look like a remote execution bug.)