From 86819229afde13ae8466ee782f4c4bd9ba6f37cd Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 6 Dec 2021 12:35:08 -0500 Subject: [PATCH] Limit the number of elements in a consdiff hash line. This avoids performing and then freeing a lot of small mallocs() if the hash line has too many elements. Fixes one case of bug 40472; resolves OSS-Fuzz 38363. Bugfix on 0.3.1.1-alpha when the consdiff parsing code was introduced. --- changes/bug40472 | 6 ++++++ src/feature/dircommon/consdiff.c | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 changes/bug40472 diff --git a/changes/bug40472 b/changes/bug40472 new file mode 100644 index 0000000000..d87c1dc2cc --- /dev/null +++ b/changes/bug40472 @@ -0,0 +1,6 @@ + o Minor bugfixes (performance, DoS): + - Fix one case of a not-especially viable denial-of-service attack found + by OSS-Fuzz in our consensus-diff parsing code. This attack causes a + lot small of memory allocations and then immediately frees them: this + is only slow when running with all the sanitizers enabled. Fixes one + case of bug 40472; bugfix on 0.3.1.1-alpha. diff --git a/src/feature/dircommon/consdiff.c b/src/feature/dircommon/consdiff.c index d0f7594ce3..3c38e92dd6 100644 --- a/src/feature/dircommon/consdiff.c +++ b/src/feature/dircommon/consdiff.c @@ -1126,7 +1126,7 @@ consdiff_get_digests(const smartlist_t *diff, { const cdline_t *line2 = smartlist_get(diff, 1); char *h = tor_memdup_nulterm(line2->s, line2->len); - smartlist_split_string(hash_words, h, " ", 0, 0); + smartlist_split_string(hash_words, h, " ", 0, 4); tor_free(h); }