[tor-bugs] #20894 [Core Tor/Tor]: Resolve read-off-end-of-buffer on atoi in fetch_from_buf_http (TROVE-2016-10-001)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 14 00:27:22 UTC 2017
#20894: Resolve read-off-end-of-buffer on atoi in fetch_from_buf_http
(TROVE-2016-10-001)
---------------------------------------+-----------------------------------
Reporter: teor | Owner: nickm
Type: defect | Status: needs_revision
Priority: High | Milestone: Tor:
| 0.3.0.x-final
Component: Core Tor/Tor | Version: Tor: unspecified
Severity: Normal | Resolution:
Keywords: tor-03-unspecified-201612 | Actual Points:
Parent ID: | Points: 0.5
Reviewer: | Sponsor:
---------------------------------------+-----------------------------------
Changes (by teor):
* status: needs_review => needs_revision
Comment:
Can `headers+headerlen` can wrap here?
If so, we also need:
`tor_assert(headers < SIZE_T_MAX - headerlen);`
Before every time we do `headers+headerlen`.
(And before:
`p = (char*) tor_memstr(headers, headerlen, CONTENT_LENGTH);`
which effectively does `headers+headerlen`.)
Please credit AFL in the changes file:
Discovered by fuzzing using AFL: http://lcamtuf.coredump.cx/afl/
Replying to [ticket:20894 teor]:
> It would be nice to email the maintainer with this ticket number and let
them know, so they can add it to their gallery.
I emailed the AFL maintainer today and CC'd tor-team.
This bug is now linked from http://lcamtuf.coredump.cx/afl/
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20894#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list