buf_pullup in Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle unexpected arrival times of buffers with invalid layouts, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via crafted packets.
[
{
"product": "Tor",
"vendor": "The Tor Project",
"versions": [
{
"status": "affected",
"version": "before 0.2.4.26"
},
{
"status": "affected",
"version": "0.2.5.x before 0.2.5.11"
}
]
}
]