[tor-bugs] #20081 [Core Tor/Tor]: potential memory corruption in or/buffers.c (not exploitable)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Sep 12 11:26:34 UTC 2016
#20081: potential memory corruption in or/buffers.c (not exploitable)
-----------------------------------------+---------------------------------
Reporter: asn | Owner:
Type: defect | Status: needs_review
Priority: Medium | Milestone: Tor:
| 0.2.9.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: 029-proposed tor-bug-bounty | Actual Points:
Parent ID: | Points: 0.3
Reviewer: | Sponsor:
-----------------------------------------+---------------------------------
Comment (by nickm):
Like, how about this:
{{{
diff --git a/src/or/buffers.c b/src/or/buffers.c
index 31985723929a11..631c3b863a1b87 100644
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -169,6 +169,9 @@ chunk_grow(chunk_t *chunk, size_t sz)
static inline size_t
preferred_chunk_size(size_t target)
{
+ tor_assert(target <= SIZE_T_CEILING - CHUNK_HEADER_LEN);
+ if (target > MAX_CHUNK_ALLOC)
+ return target;
size_t sz = MIN_CHUNK_ALLOC;
while (CHUNK_SIZE_WITH_ALLOC(sz) < target) {
sz <<= 1;
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20081#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list