Merge branch 'bug24150_032_squashed' into maint-0.3.2

changes/bug24150

@@ -0,0 +1,4 @@
+  o Minor bugfixes (v3 onion services):
+    - Fix a memory leak when decrypting a badly formatted v3 onion
+      service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha.
+      Found by OSS-Fuzz; this is OSS-Fuzz issue 3994.

src/or/hs_descriptor.c

@@ -1302,7 +1302,11 @@ encrypted_data_length_is_valid(size_t len)
  *  <b>encrypted_blob_size</b>. Use the descriptor object <b>desc</b> to
  *  generate the right decryption keys; set <b>decrypted_out</b> to the
  *  plaintext. If <b>is_superencrypted_layer</b> is set, this is the outter
- *  encrypted layer of the descriptor. */
+ *  encrypted layer of the descriptor.
+ *
+ * On any error case, including an empty output, return 0 and set
+ * *<b>decrypted_out</b> to NULL.
+ */
 MOCK_IMPL(STATIC size_t,
 decrypt_desc_layer,(const hs_descriptor_t *desc,
                     const uint8_t *encrypted_blob,
@@ -1382,6 +1386,11 @@ decrypt_desc_layer,(const hs_descriptor_t *desc,
     }
   }
 
+  if (result_len == 0) {
+    /* Treat this as an error, so that somebody will free the output. */
+    goto err;
+  }
+
   /* Make sure to NUL terminate the string. */
   decrypted[encrypted_len] = '\0';
   *decrypted_out = (char *) decrypted;

src/test/fuzz/fuzz_hsdescv3.c

@@ -50,7 +50,13 @@ mock_decrypt_desc_layer(const hs_descriptor_t *desc,
   *decrypted_out = tor_memdup_nulterm(
                    encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN,
                    encrypted_blob_size - overhead);
-  return strlen(*decrypted_out);
+  size_t result = strlen(*decrypted_out);
+  if (result) {
+    return result;
+  } else {
+    tor_free(*decrypted_out);
+    return 0;
+  }
 }
 
 int