[tor-bugs] #10363 [Tor]: Avoid additional pointer overflow in channeltls.c:channel_tls_process_certs_cells
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Dec 12 20:19:21 UTC 2013
#10363: Avoid additional pointer overflow in
channeltls.c:channel_tls_process_certs_cells
------------------------+-------------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version:
Resolution: | Keywords: 024-backport 023-backport tor-relay
Actual Points: | Parent ID:
Points: |
------------------------+-------------------------------------------------
Comment (by cypherpunks):
Another version of fix for channel_tls_process_certs_cell.
{{{
@@ -1557,6 +1557,7 @@
tor_cert_t *id_cert = NULL;
tor_cert_t *auth_cert = NULL;
uint8_t *ptr;
+ int remains;
int n_certs, i;
int send_netinfo = 0;
@@ -1591,15 +1592,16 @@
n_certs = cell->payload[0];
ptr = cell->payload + 1;
+ remains = cell->payload_len - 1;
for (i = 0; i < n_certs; ++i) {
uint8_t cert_type;
uint16_t cert_len;
- if (ptr + 3 > cell->payload + cell->payload_len) {
+ if (remains < 3) {
goto truncated;
}
cert_type = *ptr;
cert_len = ntohs(get_uint16(ptr+1));
- if (ptr + 3 + cert_len > cell->payload + cell->payload_len) {
+ if (remains < cert_len + 3) {
goto truncated;
}
if (cert_type == OR_CERT_TYPE_TLS_LINK ||
@@ -1636,11 +1638,13 @@
}
}
ptr += 3 + cert_len;
+ remains -= 3 + cert_len;
continue;
truncated:
ERR("It ends in the middle of a certificate");
}
+ tor_assert((size_t)(ptr - cell->payload) <= cell->payload_len);
if (chan->conn->handshake_state->started_here) {
int severity;
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10363#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list