Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#6765 closed defect (fixed)

Defensive programming: Use tor_malloc_zero() in var_cell_new()

Reported by: asn Owned by:
Priority: Medium Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-client
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

To be sure that we don't leak any memory to the network (a la CVE-2011-4576), it would be good if we used tor_malloc_zero() in var_cell_new(). We currently use tor_malloc() which does not clean memory.

We currently seem to be setting var_cell_t.payload and var_cell_t.payload_len correctly before calls to connection_or_write_var_cell_to_buf(), but it would be good to future-proof ourselves.

Child Tickets

Change History (5)

comment:1 Changed 8 years ago by nickm

I think I was initially concerned here about losing efficiency. But we're going to encrypt these things anyway: memset() is amazingly cheap compared to even the fastest TLS.

comment:2 in reply to:  1 Changed 8 years ago by asn

Status: newneeds_review

Replying to nickm:

I think I was initially concerned here about losing efficiency. But we're going to encrypt these things anyway: memset() is amazingly cheap compared to even the fastest TLS.

That's what I think too.

Please see branch bug6765 in https://git.torproject.org/user/asn/tor.git.

comment:3 Changed 8 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Merged to master.

comment:4 Changed 8 years ago by nickm

Keywords: tor-client added

comment:5 Changed 8 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.