mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
Merge branch 'maint-0.4.0'
This commit is contained in:
commit
3be1e26b8d
9
changes/bug30040
Normal file
9
changes/bug30040
Normal file
@ -0,0 +1,9 @@
|
||||
o Minor bugfixes (security):
|
||||
- Fix a potential double free bug when reading huge bandwidth files. The
|
||||
issue is not exploitable in the current Tor network because the
|
||||
vulnerable code is only reached when directory authorities read bandwidth
|
||||
files, but bandwidth files come from a trusted source (usually the
|
||||
authorities themselves). Furthermore, the issue is only exploitable in
|
||||
rare (non-POSIX) 32-bit architectures which are not used by any of the
|
||||
current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found
|
||||
and fixed by Tobias Stoeckmann.
|
@ -67,7 +67,8 @@ compat_getdelim_(char **buf, size_t *bufsiz, int delimiter, FILE *fp)
|
||||
char *nbuf;
|
||||
size_t nbufsiz = *bufsiz * 2;
|
||||
ssize_t d = ptr - *buf;
|
||||
if ((nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
|
||||
if (nbufsiz < *bufsiz ||
|
||||
(nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
|
||||
return -1;
|
||||
*buf = nbuf;
|
||||
*bufsiz = nbufsiz;
|
||||
|
Loading…
Reference in New Issue
Block a user