[tor-bugs] #4413 [Tor Relay]: Non-triggerable integer overflow in crypto_random_hostname()
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Dec 21 18:07:50 UTC 2011
#4413: Non-triggerable integer overflow in crypto_random_hostname()
-----------------------+----------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: needs_review
Priority: minor | Milestone: Tor: unspecified
Component: Tor Relay | Version:
Keywords: easy | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
Comment(by nickm):
You're relying on crypto_rand_int returning the same thing in the check as
it did in the assignment to randlen.
Also, you're making the error behavior be "return (char*)INT_MAX;" I'm
not sure that makes a lot of sense: NULL is the usual way to indicate an
error on returning a pointer.
And even if this patch worked, it wouldn't solve the actual issue noted
above, where the overflow happens in the rand_bytes_len calculation.
What's wrong with the fix I suggested above?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4413#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list