Limit the number of elements in a consdiff hash line.

This avoids performing and then freeing a lot of small mallocs() if
the hash line has too many elements.

Fixes one case of bug 40472; resolves OSS-Fuzz 38363.  Bugfix on
0.3.1.1-alpha when the consdiff parsing code was introduced.
This commit is contained in:
Nick Mathewson 2021-12-06 12:35:08 -05:00
parent 4a24673436
commit 86819229af
2 changed files with 7 additions and 1 deletions

6
changes/bug40472 Normal file
View File

@ -0,0 +1,6 @@
o Minor bugfixes (performance, DoS):
- Fix one case of a not-especially viable denial-of-service attack found
by OSS-Fuzz in our consensus-diff parsing code. This attack causes a
lot small of memory allocations and then immediately frees them: this
is only slow when running with all the sanitizers enabled. Fixes one
case of bug 40472; bugfix on 0.3.1.1-alpha.

View File

@ -1126,7 +1126,7 @@ consdiff_get_digests(const smartlist_t *diff,
{
const cdline_t *line2 = smartlist_get(diff, 1);
char *h = tor_memdup_nulterm(line2->s, line2->len);
smartlist_split_string(hash_words, h, " ", 0, 0);
smartlist_split_string(hash_words, h, " ", 0, 4);
tor_free(h);
}