nihilist/tor - tor - Git with a cup of Datura seeds

nihilist/tor

Fork 0

mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-10 21:23:58 +01:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Nick Mathewson	4812441d34	Never read off the end of a buffer in base32_encode() When we "fixed" #18280 in `4e4a7d2b0c` in 0291 it appears that we introduced a bug: The base32_encode function can read off the end of the input buffer, if the input buffer size modulo 5 is not equal to 0 or 3. This is not completely horrible, for two reasons: * The extra bits that are read are never actually used: so this is only a crash when asan is enabled, in the worst case. Not a data leak. * The input sizes passed to base32_encode are only ever multiples of 5. They are all either DIGEST_LEN (20), REND_SERVICE_ID_LEN (10), sizeof(rand_bytes) in addressmap.c (10), or an input in crypto.c that is forced to a multiple of 5. So this bug can't actually trigger in today's Tor. Closes bug 21894; bugfix on 0.2.9.1-alpha.	2017-04-07 10:47:16 -04:00

Nick Mathewson

4812441d34

Never read off the end of a buffer in base32_encode()

When we "fixed" #18280 in 4e4a7d2b0c
in 0291 it appears that we introduced a bug: The base32_encode
function can read off the end of the input buffer, if the input
buffer size modulo 5 is not equal to 0 or 3.

This is not completely horrible, for two reasons:
   * The extra bits that are read are never actually used: so this
     is only a crash when asan is enabled, in the worst case.  Not a
     data leak.

   * The input sizes passed to base32_encode are only ever multiples
      of 5. They are all either DIGEST_LEN (20), REND_SERVICE_ID_LEN
      (10), sizeof(rand_bytes) in addressmap.c (10), or an input in
      crypto.c that is forced to a multiple of 5.

So this bug can't actually trigger in today's Tor.

Closes bug 21894; bugfix on 0.2.9.1-alpha.

2017-04-07 10:47:16 -04:00

1 Commits