[tor-bugs] #20894 [Core Tor/Tor]: Resolve read-off-end-of-buffer on atoi in fetch_from_buf_http (TROVE-2016-10-001)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 14 21:46:39 UTC 2017
#20894: Resolve read-off-end-of-buffer on atoi in fetch_from_buf_http
(TROVE-2016-10-001)
---------------------------------------+-----------------------------------
Reporter: teor | Owner: nickm
Type: defect | Status: needs_review
Priority: High | Milestone: Tor:
| 0.3.0.x-final
Component: Core Tor/Tor | Version: Tor: unspecified
Severity: Normal | Resolution:
Keywords: tor-03-unspecified-201612 | Actual Points:
Parent ID: | Points: 0.5
Reviewer: | Sponsor:
---------------------------------------+-----------------------------------
Changes (by nickm):
* status: needs_revision => needs_review
Comment:
> Can headers+headerlen can wrap here?
I believe it can't, since headers is a pointer to a place in a buffer, and
headerlen is an amount of memory that's readable at that point.
I've forward-ported to 0.2.9, moved the unit test, added a correct use of
STATIC, and credited AFL in a branch `bug20894_029_v3`. I'm fine taking
this in 0.3.0 or 0.2.9.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20894#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list