Merge remote-tracking branch 'tor-github/pr/926' into maint-0.3.5

2024-11-27 22:03:31 +01:00 · 2019-08-12 09:41:14 +10:00 · 2019-08-12 09:41:14 +10:00 · 9be65c440b
commit 9be65c440b
parent 955cf9620c 2cdc6b2005
2 changed files with 11 additions and 1 deletions
--- a/changes/bug30040
+++ b/changes/bug30040
@ -0,0 +1,9 @@
+  o Minor bugfixes (security):
+    - Fix a potential double free bug when reading huge bandwidth files. The
+      issue is not exploitable in the current Tor network because the
+      vulnerable code is only reached when directory authorities read bandwidth
+      files, but bandwidth files come from a trusted source (usually the
+      authorities themselves). Furthermore, the issue is only exploitable in
+      rare (non-POSIX) 32-bit architectures which are not used by any of the
+      current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found
+      and fixed by Tobias Stoeckmann.
--- a/src/ext/getdelim.c
+++ b/src/ext/getdelim.c
@ -67,7 +67,8 @@ compat_getdelim_(char **buf, size_t *bufsiz, int delimiter, FILE *fp)
 			char *nbuf;
 			size_t nbufsiz = *bufsiz * 2;
 			ssize_t d = ptr - *buf;
-			if ((nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
+			if (nbufsiz < *bufsiz ||
+			    (nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
 				return -1;
 			*buf = nbuf;
 			*bufsiz = nbufsiz;