mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
Merge branch 'maint-0.3.2'
This commit is contained in:
commit
0227aab1b7
4
changes/bug24150
Normal file
4
changes/bug24150
Normal file
@ -0,0 +1,4 @@
|
||||
o Minor bugfixes (v3 onion services):
|
||||
- Fix a memory leak when decrypting a badly formatted v3 onion
|
||||
service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha.
|
||||
Found by OSS-Fuzz; this is OSS-Fuzz issue 3994.
|
@ -1302,7 +1302,11 @@ encrypted_data_length_is_valid(size_t len)
|
||||
* <b>encrypted_blob_size</b>. Use the descriptor object <b>desc</b> to
|
||||
* generate the right decryption keys; set <b>decrypted_out</b> to the
|
||||
* plaintext. If <b>is_superencrypted_layer</b> is set, this is the outter
|
||||
* encrypted layer of the descriptor. */
|
||||
* encrypted layer of the descriptor.
|
||||
*
|
||||
* On any error case, including an empty output, return 0 and set
|
||||
* *<b>decrypted_out</b> to NULL.
|
||||
*/
|
||||
MOCK_IMPL(STATIC size_t,
|
||||
decrypt_desc_layer,(const hs_descriptor_t *desc,
|
||||
const uint8_t *encrypted_blob,
|
||||
@ -1382,6 +1386,11 @@ decrypt_desc_layer,(const hs_descriptor_t *desc,
|
||||
}
|
||||
}
|
||||
|
||||
if (result_len == 0) {
|
||||
/* Treat this as an error, so that somebody will free the output. */
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Make sure to NUL terminate the string. */
|
||||
decrypted[encrypted_len] = '\0';
|
||||
*decrypted_out = (char *) decrypted;
|
||||
|
@ -50,7 +50,13 @@ mock_decrypt_desc_layer(const hs_descriptor_t *desc,
|
||||
*decrypted_out = tor_memdup_nulterm(
|
||||
encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN,
|
||||
encrypted_blob_size - overhead);
|
||||
return strlen(*decrypted_out);
|
||||
size_t result = strlen(*decrypted_out);
|
||||
if (result) {
|
||||
return result;
|
||||
} else {
|
||||
tor_free(*decrypted_out);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
int
|
||||
|
Loading…
Reference in New Issue
Block a user