[tor-bugs] #17475 [Torsocks]: Overflow when parsing config lines with many arguments
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Oct 30 18:20:09 UTC 2015
#17475: Overflow when parsing config lines with many arguments
----------------------------+---------------------
Reporter: junglefowl | Owner: dgoulet
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Torsocks | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Sponsor:
----------------------------+---------------------
It is possible to overflow tokens with a configuration that contains many
arguments in one line.
At first, the upper limit is specified as sizeof(tokens), which is
wrong. It has to be DEFAULT_MAX_CONF_TOKEN or sizeof(tokens) /
sizeof(tokens[0]). The former is shorter, therefor I took that one.
The next issue is in utils_tokenize_ignore_comments, which verifies that
enough space is available only with the ' ' separator. Later in the code,
'\t' is also allowed as a separator, which means that more arguments could
show up than previously taken into account during size checks.
This is an unlikely case, so the check will be done while parsing. When
the limit is reached, previously allocated memory is released again and
error value is returned.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17475>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list