[tor-bugs] #20894 [Core Tor/Tor]: Resolve read-off-end-of-buffer on atoi in fetch_from_buf_http (TROVE-2016-10-001)

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Feb 14 00:27:22 UTC 2017


#20894: Resolve read-off-end-of-buffer on atoi in fetch_from_buf_http
(TROVE-2016-10-001)
---------------------------------------+-----------------------------------
 Reporter:  teor                       |          Owner:  nickm
     Type:  defect                     |         Status:  needs_revision
 Priority:  High                       |      Milestone:  Tor:
                                       |  0.3.0.x-final
Component:  Core Tor/Tor               |        Version:  Tor: unspecified
 Severity:  Normal                     |     Resolution:
 Keywords:  tor-03-unspecified-201612  |  Actual Points:
Parent ID:                             |         Points:  0.5
 Reviewer:                             |        Sponsor:
---------------------------------------+-----------------------------------
Changes (by teor):

 * status:  needs_review => needs_revision


Comment:

 Can `headers+headerlen` can wrap here?

 If so, we also need:
 `tor_assert(headers < SIZE_T_MAX - headerlen);`
 Before every time we do `headers+headerlen`.
 (And before:
 `p = (char*) tor_memstr(headers, headerlen, CONTENT_LENGTH);`
 which effectively does `headers+headerlen`.)

 Please credit AFL in the changes file:

 Discovered by fuzzing using AFL: http://lcamtuf.coredump.cx/afl/

 Replying to [ticket:20894 teor]:
 > It would be nice to email the maintainer with this ticket number and let
 them know, so they can add it to their gallery.

 I emailed the AFL maintainer today and CC'd tor-team.
 This bug is now linked from http://lcamtuf.coredump.cx/afl/

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20894#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list