Buffer overflow in get_freelist
get_freelist() walks the global freelist looking for an matching slot, and then falls off the end. freelist uses a (0, ...) record to mark the end of the list, but get_freelist() never checks for it.
ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f4883a23238 at pc 0x7f4882eaaf48 bp 0x7fff9aa39c30 sp 0x7fff9aa39c28 READ of size 8 at 0x7f4883a23238 thread T0 #0 0x7f4882eaaf47 in get_freelist src/or/buffers.c:151 #1 0x7f4882eaa5a0 in chunk_new_with_alloc_size src/or/buffers.c:189:14 #2 (closed) 0x7f4882e86d85 in buf_add_chunk_with_capacity src/or/buffers.c:602:13 #3 (closed) 0x7f4882e8df20 in write_to_buf src/or/buffers.c:949 #4 (closed) 0x7f488298357c in test_buffers src/test/test.c:738 #5 (closed) 0x7f488294048e in legacy_test_helper src/test/test.c:1971 #6 (closed) 0x7f4882e69bac in testcase_run_bare_ src/ext/tinytest.c:89 #7 (closed) 0x7f4882e685a8 in testcase_run_one src/ext/tinytest.c:224 #8 (closed) 0x7f4882e6c953 in tinytest_main src/ext/tinytest.c:347 #9 (closed) 0x7f4882941be2 in main src/test/test.c:2118 #10 (closed) 0x7f4880e7076c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c) #11 (closed) 0x7f488293f4dc ( src/test/test+0x1434dc) 0x7f4883a23238 is located 0 bytes to the right of global variable 'freelists' from 'src/or/buffers.c' (0x7f4883a23120) of size 280
FYI, to reproduce this report, build Tor with clang 3.2 (or newer)
CC=/code/llvm/build/bin/clang
CXX=/code/llvm/build/bin/clang++
CFLAGS="-fsanitize=address -g -O0"
LDFLAGS=-fsanitize=address
./configure
make
src/test/test
Trac:
Username: eugenis