[tor-bugs] #5402 [Tor Client]: #5090 allows post-auth heap overflow
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Mar 16 10:18:05 UTC 2012
#5402: #5090 allows post-auth heap overflow
------------------------+---------------------------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.2.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by rransom):
Replying to [ticket:5402 arma]:
> And Nick points out:
{{{
We ought to audit uses of get_escaped_string_length in control.c
nevertheless. It is a *PHENOMINALLY BAD IDEA* in C to have
independent functions that count the length of something and that
parse it. We should look for other cases of that antipattern too.
}}}
`get_escaped_string_length` in control.c is harmless -- it is only called
from the two functions which immediately follow it in the file
(`extract_escaped_string`, which does not attempt to unescape the string,
and `decode_escaped_string`, which unescapes the string using the same
rules that `get_escaped_string_length` uses).
`decode_escaped_string` is only called from `handle_control_authenticate`,
which can obviously be called before authenticating to the control port.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5402#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list