[tor-bugs] #4230 [Tor Client]: smartlist functions contain bogus overflow checks

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Thu Nov 10 15:44:11 UTC 2011 

#4230: smartlist functions contain bogus overflow checks
------------------------+---------------------------------------------------
 Reporter:  rransom     |          Owner:                    
     Type:  defect      |         Status:  needs_review      
 Priority:  major       |      Milestone:  Tor: 0.2.1.x-final
Component:  Tor Client  |        Version:                    
 Keywords:              |         Parent:                    
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by nickm):

 Replying to [comment:16 asn]:
 > In a x86-64 system, `SIZEOF_SIZE_T == SIZEOF_INT` and `MAX_CAPACITY`
 becomes (int) (UINT_MAX / 8) == 2^29^, and MAX_CAPACITY/2 == 2^27^.

 Actually, on most X86_64 systems, SIZEOF_SIZE_T is 8 an SIZEOF_INT is 4.
 But it's allowable for them to be the same depending on the weirdness of
 the API, so let's go with it.

 In this case, UINT_MAX/8 is actually not 2^29^ .  It's 536870911,  which
 is 2^29^ -1.  So MAX_CAPACITY/2 will be 2^27^ - 1.

 (The -1s aren't relevant to your argument, I think.  But just in case.)

 > If you pass a size bigger than 2^29^ or INT_MAX/4, it will get in the
 `if (PREDICT_UNLIKELY(size > MAX_CAPACITY/2)) {` and hit the
 `tor_assert(size <= MAX_CAPACITY);`.

 Yup.  We have to hit that point.  Our response to OOM is a tor_assert()
 failure throughout the rest of the code.  We literally cannot allocate an
 array of more than MAX_CAPACITY elements in this case: to do so, we would
 need to pass a value larger than SIZE_MAX as an argument to tor_realloc,
 which is impossible, since SIZE_MAX is the largest SIZE_T value there can
 be.

 > I'm not sure if this is in the function's threat model, since you have
 to pass an enormous size and it would in any case probably OOM from the
 `realloc()`, but even the original overflow of this ticket needed a huge
 size.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4230#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list