[tor-bugs] #12227 [Tor]: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Jun 8 02:29:45 UTC 2014
#12227: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable
-----------------------+-------------------------------
Reporter: starlight | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version: Tor: 0.2.4.22
Keywords: | Actual Points:
Parent ID: | Points:
-----------------------+-------------------------------
Found a minor buffer overflow when
running live relay with 'tor' and
'openssl' both compiled with
AddressSanitizer.
tortls.c:1492: unsigned char cipherid[2];
should be three characters and the
final byte initialized to zero for
ssl2_get_cipher_by_char()
to function correctly and to avoid
an ASan access exception.
Tested patch that resolves this
issue is attached.
Compiled with gcc 4.8.1 and with
these added options:
tor-0.2.4.22
-O1 # instead of -O2
-fsanitize=address
-fno-omit-frame-pointer
openssl-1.0.1h
-fstack-protector-all
--param ssp-buffer-size=1
-fsanitize=address
-fno-omit-frame-pointer
-DOPENSSL_NO_BUF_FREELIST
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12227>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list