From 00e2310f12dfb91aca2949463b57bd6937f19166 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 8 May 2013 12:04:18 -0400 Subject: [PATCH] Don't run off the end of the array-of-freelists This is a fix for bug 8844, where eugenis correctly notes that there's a sentinel value at the end of the list-of-freelists that's never actually checked. It's a bug since the first version of the chunked buffer code back in 0.2.0.16-alpha. This would probably be a crash bug if it ever happens, but nobody's ever reported something like this, so I'm unsure whether it can occur. It would require write_to_buf, write_to_buf_zlib, read_to_buf, or read_to_buf_tls to get an input size of more than 32K. Still, it's a good idea to fix this kind of thing! --- changes/bug8844 | 6 ++++++ src/or/buffers.c | 3 ++- src/test/test.c | 12 ++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 changes/bug8844 diff --git a/changes/bug8844 b/changes/bug8844 new file mode 100644 index 0000000000..320e5f2845 --- /dev/null +++ b/changes/bug8844 @@ -0,0 +1,6 @@ + o Major bugfixes: + - Prevent the get_freelists() function from running off the end of + the list of freelists if it somehow gets an unrecognized + allocation. Fixes bug 8844; bugfix on 0.2.0.16-alpha. Reported by + eugenis. + diff --git a/src/or/buffers.c b/src/or/buffers.c index ad5ab83e4f..9be0476f64 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -147,7 +147,8 @@ static INLINE chunk_freelist_t * get_freelist(size_t alloc) { int i; - for (i=0; freelists[i].alloc_size <= alloc; ++i) { + for (i=0; (freelists[i].alloc_size <= alloc && + freelists[i].alloc_size); ++i ) { if (freelists[i].alloc_size == alloc) { return &freelists[i]; } diff --git a/src/test/test.c b/src/test/test.c index ddfd6337bd..ae423948ec 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -802,6 +802,18 @@ test_buffers(void) buf_free(buf); buf = NULL; + /* Try adding a string too long for any freelist. */ + { + char *cp = tor_malloc_zero(65536); + buf = buf_new(); + write_to_buf(cp, 65536, buf); + tor_free(cp); + + tt_int_op(buf_datalen(buf), ==, 65536); + buf_free(buf); + buf = NULL; + } + done: if (buf) buf_free(buf);