tor-bytes: defend against misuse of extract_n(). (!1053) · Merge requests · The Tor Project / Core / Arti

Nick Mathewson requested to merge nickm/arti:fuzzing_tor_bytes into main Mar 06, 2023

Previously, if somebody wrote this code, an attacker could easily use it to cause an OOM panic:

let n = r.take_u64();
let items: Vec<Foo> = r.extract_n(n as usize)?;

The first line of defense here is not to write protocols like that: we don't actually have any 32-bit counters in our protocol AFAICT.

The second line of defense is to pre-check n for reasonableness before calling extract_n.

Here we add a third line of defense: whereas previously we would do Vec::with_capacity(n) in extract_n, we now allocate an initial capacity of min(n, r.remaining()). This ensures that the size of the allocation can't exceed the remaining length of the message, which (for our cell types at least) should prevent it from overflowing or running OOM.

tor-bytes: defend against misuse of extract_n().

Merge request reports