[tor-bugs] #14031 [Tor]: use after freed
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Dec 27 00:38:54 UTC 2014
#14031: use after freed
----------------------------+--------------------------------
Reporter: MegaManSec | Owner:
Type: defect | Status: needs_information
Priority: minor | Milestone: Tor: 0.2.6.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-tests
Actual Points: | Parent ID:
Points: |
----------------------------+--------------------------------
Comment (by MegaManSec):
Cool, thanks.
How about this?:
rendservice.c
5. alias: Assigning: rp_nickname = intro->u.v0.rp. rp_nickname now points
to byte 0 of intro->u.v0.rp (which consists of 20 bytes).
1531 else rp_nickname = (const char *)(intro->u.v0.rp);
CID 12172 (#1 of 1): Out-of-bounds access (OVERRUN)6. overrun-buffer-val:
Overrunning buffer pointed to by rp_nickname of 20 bytes by passing it to
a function which accesses it at byte offset 40. [show details]
1533 node = node_get_by_nickname(rp_nickname, 0);
Thanks,
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14031#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list