[tor-bugs] #19567 [Core Tor/Tor]: SR: Fix issues Coverity found:
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 4 15:16:31 UTC 2016
#19567: SR: Fix issues Coverity found:
-------------------------------+--------------------------------
Reporter: dgoulet | Owner:
Type: defect | Status: new
Priority: High | Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords: tor-sr test
Actual Points: | Parent ID:
Points: 0.1 | Reviewer:
Sponsor: SponsorR-must |
-------------------------------+--------------------------------
Issue 1:
{{{
/src/or/shared_random_state.c: 639 in disk_state_update()
633 next = &(line->next);
634 }
635 if (sr_state->current_srv != NULL) {
636 *next = line = tor_malloc_zero(sizeof(*line));
637 line->key = tor_strdup(dstate_cur_srv_key);
638 disk_state_put_srv_line(sr_state->current_srv, line);
>>> CID 1362985: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "&line->next" to "next" here, but that stored
value is overwritten before it can be used.
639 next = &(line->next);
640 }
641
642 /* Parse the commits and construct config line(s). */
643 next = &sr_disk_state->Commit;
644 DIGESTMAP_FOREACH(sr_state->commits, key, sr_commit_t *, commit)
{
}}}
Issue 2:
{{{
*** CID 1362984: Memory - corruptions (OVERRUN)
/src/test/test_shared_random.c: 943 in test_utils()
937 const char *payload =
938
"\x5d\xb9\x60\xb6\xcc\x51\x68\x52\x31\xd9\x88\x88\x71\x71\xe0\x30"
939
"\x59\x55\x7f\xcd\x61\xc0\x4b\x05\xb8\xcd\xc1\x48\xe9\xcd\x16\x1f"
940
"\x70\x15\x0c\xfc\xd3\x1a\x75\xd0\x93\x6c\xc4\xe0\x5c\xbe\xe2\x18"
941 "\xc7\xaf\x72\xb6\x7c\x9b\x52";
942 sr_commit_t commit1, commit2;
>>> CID 1362984: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "payload" of 56 bytes by passing
it to a function which accesses it at byte offset 56 using argument
"57UL". [Note: The source code implementation of the function has been
overridden by a builtin model.]
943 memcpy(commit1.encoded_commit, payload,
sizeof(commit1.encoded_commit));
944 memcpy(commit2.encoded_commit, payload,
sizeof(commit2.encoded_commit));
945 tt_int_op(commitments_are_the_same(&commit1, &commit2), ==,
1);
946 /* Let's corrupt one of them. */
947 memset(commit1.encoded_commit, 'A',
sizeof(commit1.encoded_commit));
948 tt_int_op(commitments_are_the_same(&commit1, &commit2), ==,
0);
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19567>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list