nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-10 13:13:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix possible UB in an end-of-string check in get_next_token().

Browse Source 
Remember, you can't check to see if there are N bytes left in a
buffer by doing (buf + N < end), since the buf + N computation might
take you off the end of the buffer and result in undefined behavior.

Fixes 28202; bugfix on 0.2.0.3-alpha.
This commit is contained in:
Nick Mathewson 2018-10-25 09:06:13 -04:00
parent 5b28190c67
commit 368413a321
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changes/bug28202 Normal file
View File

@ -0,0 +1,4 @@
o Minor bugfixes (C correctness):
- Avoid undefined behavior in an end-of-string check when parsing the
BEGIN line in a directory object. Fixes bug 28202; bugfix on
0.2.0.3-alpha.

2
src/or/routerparse.c
View File

@ -4964,7 +4964,7 @@ get_next_token(memarea_t *area,
goto check_object;
obstart = *s; /* Set obstart to start of object spec */
if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
if (eol - *s <= 16 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
strcmp_len(eol-5, "-----", 5) || /* nuls or invalid endings */
(eol-*s) > MAX_UNPARSED_OBJECT_SIZE) { /* name too long */
RET_ERR("Malformed object: bad begin line");