[tor-bugs] #10363 [Tor]: Avoid additional pointer overflow in channeltls.c:channel_tls_process_certs_cells

Wed Dec 11 19:34:15 UTC 2013

#10363: Avoid additional pointer overflow in
channeltls.c:channel_tls_process_certs_cells
------------------------+-------------------------------------------------
     Reporter:  nickm   |      Owner:
         Type:  defect  |     Status:  new
     Priority:  major   |  Milestone:  Tor: 0.2.5.x-final
    Component:  Tor     |    Version:
   Resolution:          |   Keywords:  024-backport 023-backport tor-relay
Actual Points:          |  Parent ID:
       Points:          |
------------------------+-------------------------------------------------

Comment (by nickm):

 The loop in channel_tls_process_versions_cell() has the same problem. if
 cp==end, then cp+1 is invalid.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10363#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online