mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-12-01 08:03:31 +01:00
9ce0bdd226
The function compat_getdelim_ is used for tor_getline if tor is compiled on a system that lacks getline and getdelim. These systems should be very rare, considering that getdelim is POSIX. If this system is further a 32 bit architecture, it is possible to trigger a double free with huge files. If bufsiz has been already increased to 2 GB, the next chunk would be 4 GB in size, which wraps around to 0 due to 32 bit limitations. A realloc(*buf, 0) could be imagined as "free(*buf); return malloc(0);" which therefore could return NULL. The code in question considers that an error, but will keep the value of *buf pointing to already freed memory. The caller of tor_getline() would free the pointer again, therefore leading to a double free. This code can only be triggered in dirserv_read_measured_bandwidths with a huge measured bandwith list file on a system that actually allows to reach 2 GB of space through realloc. It is not possible to trigger this on Linux with glibc or other major *BSD systems even on unit tests, because these systems cannot reach so much memory due to memory fragmentation. This patch is effectively based on the penetration test report of cure53 for curl available at https://cure53.de/pentest-report_curl.pdf and explained under section "CRL-01-007 Double-free in aprintf() via unsafe size_t multiplication (Medium)". |
||
|---|---|---|
| .. | ||
| curve25519_donna | ||
| ed25519 | ||
| keccak-tiny | ||
| mulodi | ||
| rust@aa37fb84fb | ||
| timeouts | ||
| trunnel | ||
| byteorder.h | ||
| csiphash.c | ||
| getdelim.c | ||
| ht.h | ||
| include.am | ||
| Makefile.nmake | ||
| OpenBSD_malloc_Linux.c | ||
| README | ||
| readpassphrase.c | ||
| siphash.h | ||
| strlcat.c | ||
| strlcpy.c | ||
| tinytest_demo.c | ||
| tinytest_macros.h | ||
| tinytest.c | ||
| tinytest.h | ||
| tor_queue.h | ||
| tor_queue.txt | ||
| tor_readpassphrase.h | ||
OpenBSD_malloc_Linux.c:
The OpenBSD malloc implementation, ported to Linux. Used only when
--enable-openbsd-malloc is passed to the configure script.
strlcat.c
strlcpy.c
Implementations of strlcat and strlcpy, the more sane replacements
for strcat and strcpy. These are nonstandard, and some libc
implementations refuse to add them for religious reasons.
ht.h
An implementation of a hash table in the style of Niels Provos's
tree.h. Shared with Libevent.
tinytest.[ch]
tinytest_demos.c
tinytest_macros.h
A unit testing framework. https://github.com/nmathewson/tinytest
tor_queue.h
A copy of sys/queue.h from OpenBSD. We keep our own copy rather
than using sys/queue.h, since some platforms don't have a
sys/queue.h, and the ones that do have diverged in incompatible
ways. (CIRCLEQ or no CIRCLEQ? SIMPLQ or STAILQ?) We also rename
the identifiers with a TOR_ prefix to avoid conflicts with
the system headers.
curve25519_donna/*.c
A copy of Adam Langley's curve25519-donna mostly-portable
implementations of curve25519.
csiphash.c
siphash.h
Marek Majkowski's implementation of siphash 2-4, a secure keyed
hash algorithm to avoid collision-based DoS attacks against hash
tables.
trunnel/*.[ch]
Headers and runtime code for Trunnel, a system for generating
code to encode and decode binary formats.
ed25519/ref10/*
Daniel Bernsten's portable ref10 implementation of ed25519.
Public domain.
ed25519/donna/*
Andrew Moon's semi-portable ed25519-donna implementation of
ed25519. Public domain.
keccak-tiny/
David Leon Gil's portable Keccak implementation. CC0.
readpassphrase.[ch]
Portable readpassphrase implementation from OpenSSH portable, version
6.8p1.
timeouts/
William Ahern's hierarchical timer-wheel implementation. MIT license.
mulodi/
Contains an overflow-checking 64-bit signed integer multiply
from LLVM's compiler_rt. For some reason, this is missing from
32-bit libclang in many places. Dual licensed MIT-license and
BSD-like license; see mulodi/LICENSE.TXT.