mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 13:53:31 +01:00
Merge branch 'maint-0.2.6' into maint-0.2.7-redux
This commit is contained in:
commit
9a0fd2dbb1
12
changes/bug22737
Normal file
12
changes/bug22737
Normal file
@ -0,0 +1,12 @@
|
||||
o Minor bugfixes (defensive programming, undefined behavior):
|
||||
|
||||
- Fix a memset() off the end of an array when packing cells. This
|
||||
bug should be harmless in practice, since the corrupted bytes
|
||||
are still in the same structure, and are always padding bytes,
|
||||
ignored, or immediately overwritten, depending on compiler
|
||||
behavior. Nevertheless, because the memset()'s purpose is to
|
||||
make sure that any other cell-handling bugs can't expose bytes
|
||||
to the network, we need to fix it. Fixes bug 22737; bugfix on
|
||||
0.2.4.11-alpha. Fixes CID 1401591.
|
||||
|
||||
|
@ -430,9 +430,11 @@ cell_pack(packed_cell_t *dst, const cell_t *src, int wide_circ_ids)
|
||||
set_uint32(dest, htonl(src->circ_id));
|
||||
dest += 4;
|
||||
} else {
|
||||
/* Clear the last two bytes of dest, in case we can accidentally
|
||||
* send them to the network somehow. */
|
||||
memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2);
|
||||
set_uint16(dest, htons(src->circ_id));
|
||||
dest += 2;
|
||||
memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); /*make sure it's clear */
|
||||
}
|
||||
set_uint8(dest, src->command);
|
||||
memcpy(dest+1, src->payload, CELL_PAYLOAD_SIZE);
|
||||
|
Loading…
Reference in New Issue
Block a user