nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-10 13:13:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'maint-0.2.9' into maint-0.3.0

Browse Source
This commit is contained in:
Nick Mathewson 2017-06-27 11:04:44 -04:00
commit a242d194c7
2 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
changes/bug22737 Normal file
View File

@ -0,0 +1,12 @@
o Minor bugfixes (defensive programming, undefined behavior):
- Fix a memset() off the end of an array when packing cells. This
bug should be harmless in practice, since the corrupted bytes
are still in the same structure, and are always padding bytes,
ignored, or immediately overwritten, depending on compiler
behavior. Nevertheless, because the memset()'s purpose is to
make sure that any other cell-handling bugs can't expose bytes
to the network, we need to fix it. Fixes bug 22737; bugfix on
0.2.4.11-alpha. Fixes CID 1401591.

4
src/or/connection_or.c
View File

@ -419,9 +419,11 @@ cell_pack(packed_cell_t *dst, const cell_t *src, int wide_circ_ids)
set_uint32(dest, htonl(src->circ_id));
dest += 4;
} else {
/* Clear the last two bytes of dest, in case we can accidentally
* send them to the network somehow. */
memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2);
set_uint16(dest, htons(src->circ_id));
dest += 2;
memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); /*make sure it's clear */
}
set_uint8(dest, src->command);
memcpy(dest+1, src->payload, CELL_PAYLOAD_SIZE);