Skip to content

libevent (stack) buffer overflow in evutil_parse_sockaddr_port() #318

Closed
@asn-d6

Description

@asn-d6

Hello,

in evutil.c:

1798     char buf[128];
...
...
1809     cp = strchr(ip_as_string, ':');
1810     if (*ip_as_string == '[') {
1811         int len;
1812         if (!(cp = strchr(ip_as_string, ']'))) {
1813             return -1;
1814         }
1815         len = (int) ( cp-(ip_as_string + 1) );
1816         if (len > (int)sizeof(buf)-1) {
1817             return -1;
1818         }
1819         memcpy(buf, ip_as_string+1, len);

Length between '[' and ']' is cast to signed 32 bit integer on line 1815. Is the length is more than 2<<31 (INT_MAX), len will hold a negative value. Consequently, it will pass the check at line 1816. Segfault happens at line 1819.

Generate a resolv.conf with generate-resolv.conf, then compile and run poc.c. See entry-functions.txt for functions in tor that might be vulnerable.

Please credit 'Guido Vranken' for this discovery through the Tor bug bounty program.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions