[tor-bugs] #17776 [Tor]: Buffer over-reads in directory and rendcache tests
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Dec 8 23:13:01 UTC 2015
#17776: Buffer over-reads in directory and rendcache tests
-------------------------------+------------------------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: needs_revision
Priority: Medium | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version: Tor: 0.2.7.3-rc
Severity: Normal | Resolution:
Keywords: TorCoreTeam201512 | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------------+------------------------------------
Comment (by teor):
Replying to [comment:4 cypherpunks]:
> Replying to [comment:2 teor]:
> > Replying to [comment:1 cypherpunks]:
> > > The attached patches fixes the issues mentioned in the ticket
description. I hope the commit messages speak for themselves. Rewriting
them into the ticket seemed redundant.
> >
> > Code Review: Patches 1 & 2
> >
> > I agree that these buffer overruns need to be fixed.
> >
> > But what I'd like to do is change the functions that overrun the
buffers so they don't overrun buffers if a short string is passed to them.
That way, we fix the problem at the source.
> >
> > I want to check that the fingerprint strings are:
> > * not NULL, and
> > * don't contain a NULL character in the first DIGEST_LEN bytes?
> > before the functions read the strings?
> >
> > You can use code like:
> > {{{
> > tor_assert(fingerprint);
> > tor_assert(memchr(fingerprint, 0, DIGEST_LEN) == NULL);
> > }}}
> >
> > That would also require updating all the test data so it's really
DIGEST_LEN characters long (and increasing the buffer lengths by 1 to
accommodate the terminating nul byte).
>
> The bugs were found using AddressSanitizer and i think the `memchr`
solution will trigger similar warnings because the behavior is undefined
if access occurs beyond the end of the array searched.
memchr(fingerprint, 0, DIGEST_LEN) will never access any byte in
fingerprint beyond a nul byte or DIGEST_LEN bytes. (Whichever comes
first.)
> The assertion implies that the digests are required to be null-
terminated strings. This moves away from the requirement that they need to
be `DIGEST_LEN` long and is something which could be ignored in a similar
fashion.
The assertion is intended to catch code which passes strings shorter than
DIGEST_LEN to the function. (We will need to comment it to make this
clear.)
Buffers passed to the function should never contain a nul byte in the
first DIGEST_LEN bytes. If they do, it's because someone passed a short
string to the function. (As you've noticed, this is easy to do.)
Since there's no way to find the length of the memory pointed to by a
pointer in C, our best option is to look for evidence that someone passed
in a short buffer.
> The solution IMO would be to require string length parameters (like the
modern C string functions).
The buffer is a set-length non-nul terminated block of memory.
Any string length parameter would always be DIGEST_LEN, so it's redundant.
(And it would imply that the buffers need to be nul-terminated, which they
don't.)
> Replying to [comment:3 teor]:
> > Patches 1 & 2 are on unit tests introduced in 0.2.7.3-rc.
> > (The functions being tested are a lot older than that.)
>
> The commit messages of patches 1 and 2 include the commits which
introduced the issues. According to `git describe --contains` both commits
are not within in a tag. Is this correct?
I don't know how this feature of git works.
I think we tag the commit that finalises a release. We don't tag all
commits in a release.
When I look for the release that contains a commit, I look for the first
release commit after that commit in git log.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17776#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list