#22368: double-free of MyFamily lines
------------------------------------------------+--------------------------
Reporter: arma | Owner:
Type: defect | Status:
| needs_review
Priority: Medium | Milestone: Tor:
| 0.3.1.x-final
Component: Core Tor/Tor | Version: Tor:
| 0.3.1.1-alpha
Severity: Normal | Resolution:
Keywords: regression memory-safety tor-relay | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------------------------+--------------------------
Comment (by teor):
Replying to [comment:7 arma]:
> Speaking of just about anything, it is distantly possible that relays
who hit this bug will print little pieces of arbitrary memory, if they are
valid nicknames or hexes, into the Family line of their descriptor. Good
times.
Since the smallest valid nickname is 1 character, it discloses 1 byte with
probability 62/256, 2 bytes with probability (62/256)^2, ...
Unless it needs to be a valid continuation of a nickname list?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22368#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
