nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-30 23:53:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'maint-0.4.0'

Browse Source
This commit is contained in:
Nick Mathewson 2019-04-10 11:31:44 -04:00
commit 3be1e26b8d
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
changes/bug30040 Normal file
View File

@ -0,0 +1,9 @@
o Minor bugfixes (security):
- Fix a potential double free bug when reading huge bandwidth files. The
issue is not exploitable in the current Tor network because the
vulnerable code is only reached when directory authorities read bandwidth
files, but bandwidth files come from a trusted source (usually the
authorities themselves). Furthermore, the issue is only exploitable in
rare (non-POSIX) 32-bit architectures which are not used by any of the
current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found
and fixed by Tobias Stoeckmann.

3
src/ext/getdelim.c
View File

@ -67,7 +67,8 @@ compat_getdelim_(char **buf, size_t *bufsiz, int delimiter, FILE *fp)
char *nbuf; char *nbuf;
size_t nbufsiz = *bufsiz * 2; size_t nbufsiz = *bufsiz * 2;
ssize_t d = ptr - *buf; ssize_t d = ptr - *buf;
if ((nbuf = raw_realloc(*buf, nbufsiz)) == NULL) if (nbufsiz < *bufsiz ||
(nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
return -1; return -1;
*buf = nbuf; *buf = nbuf;
*bufsiz = nbufsiz; *bufsiz = nbufsiz;