Limit the number of elements in a consdiff hash line.

This avoids performing and then freeing a lot of small mallocs() if the hash line has too many elements. Fixes one case of bug 40472; resolves OSS-Fuzz 38363. Bugfix on 0.3.1.1-alpha when the consdiff parsing code was introduced.
2024-09-20 13:06:20 +02:00 · 2021-12-06 12:35:08 -05:00 · 2021-12-06 12:35:08 -05:00 · 86819229af
commit 86819229af
parent 4a24673436
2 changed files with 7 additions and 1 deletions
--- a/changes/bug40472
+++ b/changes/bug40472
@ -0,0 +1,6 @@
+  o Minor bugfixes (performance, DoS):
+    - Fix one case of a not-especially viable denial-of-service attack found
+      by OSS-Fuzz in our consensus-diff parsing code. This attack causes a
+      lot small of memory allocations and then immediately frees them: this
+      is only slow when running with all the sanitizers enabled.  Fixes one
+      case of bug 40472; bugfix on 0.3.1.1-alpha.
--- a/src/feature/dircommon/consdiff.c
+++ b/src/feature/dircommon/consdiff.c
@ -1126,7 +1126,7 @@ consdiff_get_digests(const smartlist_t *diff,
  {
    const cdline_t *line2 = smartlist_get(diff, 1);
    char *h = tor_memdup_nulterm(line2->s, line2->len);
-    smartlist_split_string(hash_words, h, " ", 0, 0);
+    smartlist_split_string(hash_words, h, " ", 0, 4);
    tor_free(h);
  }