nihilist/tor - tor - Git with a cup of Datura seeds

nihilist/tor

Fork 0

mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-09-20 21:16:22 +02:00

Commit Graph

Author	SHA1	Message	Date
Nick Mathewson	be2d37ad3c	Fix a pointer arithmetic bug in memarea_alloc() Fortunately, the arithmetic cannot actually overflow, so long as we always check for the size of potentially hostile input before copying it. I think we do, though. We do check each line against MAX_LINE_LENGTH, and each object name or object against MAX_UNPARSED_OBJECT_SIZE, both of which are 128k. So to get this overflow, we need to have our memarea allocated way way too high up in RAM, which most allocators won't actually do. Bugfix on 0.2.1.1-alpha, where memarea was introduced. Found by Guido Vranken.	2016-05-25 09:20:37 -04:00

Author

SHA1

Message

Date

Nick Mathewson

be2d37ad3c

Fix a pointer arithmetic bug in memarea_alloc()

Fortunately, the arithmetic cannot actually overflow, so long as we
*always* check for the size of potentially hostile input before
copying it.  I think we do, though.  We do check each line against
MAX_LINE_LENGTH, and each object name or object against
MAX_UNPARSED_OBJECT_SIZE, both of which are 128k.  So to get this
overflow, we need to have our memarea allocated way way too high up
in RAM, which most allocators won't actually do.

Bugfix on 0.2.1.1-alpha, where memarea was introduced.

Found by Guido Vranken.

2016-05-25 09:20:37 -04:00

1 Commits