nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-24 20:33:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

bugfixes: smartlist_join_strings2() was underflowing a size_t

Browse Source 
if you gave it an empty smartlist; and it wasn't terminating in
this case even if you asked it to.

this does not appear to be exploitable in any reasonable cases.


svn:r4598
This commit is contained in:
Roger Dingledine 2005-07-18 23:11:46 +00:00
parent b13a9e9070
commit 893652da84
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/common/container.c
View File

@ -357,6 +357,10 @@ char *smartlist_join_strings2(smartlist_t *sl, const char *join,
tor_assert(sl); tor_assert(sl);
tor_assert(join); tor_assert(join);
if (sl->num_used == 0)
n = join_len; /* special-case this one, to avoid underflow */
for (i = 0; i < sl->num_used; ++i) { for (i = 0; i < sl->num_used; ++i) {
n += strlen(sl->list[i]); n += strlen(sl->list[i]);
n += join_len; n += join_len;
@ -371,6 +375,11 @@ char *smartlist_join_strings2(smartlist_t *sl, const char *join,
dst += join_len; dst += join_len;
} }
} }
if (sl->num_used == 0 && terminate) {
/* another special case for length == 0 */
memcpy(dst, join, join_len);
dst += join_len;
}
*dst = '\0'; *dst = '\0';
if (len_out) if (len_out)