Merge branch 'maint-0.2.6' into maint-0.2.7-redux

This commit is contained in:
Nick Mathewson 2017-06-27 11:04:44 -04:00
commit 9a0fd2dbb1
2 changed files with 15 additions and 1 deletions

12
changes/bug22737 Normal file
View File

@ -0,0 +1,12 @@
o Minor bugfixes (defensive programming, undefined behavior):
- Fix a memset() off the end of an array when packing cells. This
bug should be harmless in practice, since the corrupted bytes
are still in the same structure, and are always padding bytes,
ignored, or immediately overwritten, depending on compiler
behavior. Nevertheless, because the memset()'s purpose is to
make sure that any other cell-handling bugs can't expose bytes
to the network, we need to fix it. Fixes bug 22737; bugfix on
0.2.4.11-alpha. Fixes CID 1401591.

View File

@ -430,9 +430,11 @@ cell_pack(packed_cell_t *dst, const cell_t *src, int wide_circ_ids)
set_uint32(dest, htonl(src->circ_id));
dest += 4;
} else {
/* Clear the last two bytes of dest, in case we can accidentally
* send them to the network somehow. */
memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2);
set_uint16(dest, htons(src->circ_id));
dest += 2;
memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); /*make sure it's clear */
}
set_uint8(dest, src->command);
memcpy(dest+1, src->payload, CELL_PAYLOAD_SIZE);