or/channeltls.c Pointer Overflow Leads To Undefined Behavior, No Error Handling
The bug is on line 1438 of or/channeltls.c. The original code had a check to see if the cp pointer (I believe this represents the current payload being processed) stepped over the bounds of the cell, by comparing cp >= end. This is a bad check because any pointer to any array indexed more than 1 past the end of an array is undefined behavior. This means that the compiler is free to optimize out this check because it can assume that the programmer never increases her pointer to an undefined region. Thus, under certain compilers in certain optimizations, this check may be optimized out.
See section 2.4 of this survey for a concise description of this behavior: http://pdos.csail.mit.edu/papers/ub:apsys12.pdf
The patch is included below.
*** tor-b600495/src/or/channeltls.c 2013-12-05 09:30:11.000000000 -0800
--- tor-bugfix/src/or/channeltls.c 2013-12-07 00:43:09.438040392 -0800
*************** channel_tls_process_netinfo_cell(cell_t
*** 1435,1441 ****
my_addr_ptr = (uint8_t*) cell->payload + 6;
end = cell->payload + CELL_PAYLOAD_SIZE;
cp = cell->payload + 6 + my_addr_len;
! if (cp >= end) {
log_fn(LOG_PROTOCOL_WARN, LD_OR,
"Addresses too long in netinfo cell; closing connection.");
connection_or_close_for_error(chan->conn, 0);
--- 1435,1441 ----
my_addr_ptr = (uint8_t*) cell->payload + 6;
end = cell->payload + CELL_PAYLOAD_SIZE;
cp = cell->payload + 6 + my_addr_len;
! if (my_addr_len >= CELL_PAYLOAD_SIZE - 6) {
log_fn(LOG_PROTOCOL_WARN, LD_OR,
"Addresses too long in netinfo cell; closing connection.");
connection_or_close_for_error(chan->conn, 0);
Trac:
Username: jaredlwong