Closed
Description
Hello,
in evutil.c:
1798 char buf[128];
...
...
1809 cp = strchr(ip_as_string, ':');
1810 if (*ip_as_string == '[') {
1811 int len;
1812 if (!(cp = strchr(ip_as_string, ']'))) {
1813 return -1;
1814 }
1815 len = (int) ( cp-(ip_as_string + 1) );
1816 if (len > (int)sizeof(buf)-1) {
1817 return -1;
1818 }
1819 memcpy(buf, ip_as_string+1, len);
Length between '[' and ']' is cast to signed 32 bit integer on line 1815. Is the length is more than 2<<31 (INT_MAX), len will hold a negative value. Consequently, it will pass the check at line 1816. Segfault happens at line 1819.
Generate a resolv.conf with generate-resolv.conf, then compile and run poc.c. See entry-functions.txt for functions in tor that might be vulnerable.
Please credit 'Guido Vranken' for this discovery through the Tor bug bounty program.