Merge branch 'maint-0.3.2' into release-0.3.2

This commit is contained in:
Nick Mathewson 2017-11-06 13:01:56 -05:00
commit bd432bbac5
3 changed files with 21 additions and 2 deletions

4
changes/bug24150 Normal file
View File

@ -0,0 +1,4 @@
o Minor bugfixes (v3 onion services):
- Fix a memory leak when decrypting a badly formatted v3 onion
service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha.
Found by OSS-Fuzz; this is OSS-Fuzz issue 3994.

View File

@ -1302,7 +1302,11 @@ encrypted_data_length_is_valid(size_t len)
* <b>encrypted_blob_size</b>. Use the descriptor object <b>desc</b> to
* generate the right decryption keys; set <b>decrypted_out</b> to the
* plaintext. If <b>is_superencrypted_layer</b> is set, this is the outter
* encrypted layer of the descriptor. */
* encrypted layer of the descriptor.
*
* On any error case, including an empty output, return 0 and set
* *<b>decrypted_out</b> to NULL.
*/
MOCK_IMPL(STATIC size_t,
decrypt_desc_layer,(const hs_descriptor_t *desc,
const uint8_t *encrypted_blob,
@ -1382,6 +1386,11 @@ decrypt_desc_layer,(const hs_descriptor_t *desc,
}
}
if (result_len == 0) {
/* Treat this as an error, so that somebody will free the output. */
goto err;
}
/* Make sure to NUL terminate the string. */
decrypted[encrypted_len] = '\0';
*decrypted_out = (char *) decrypted;

View File

@ -50,7 +50,13 @@ mock_decrypt_desc_layer(const hs_descriptor_t *desc,
*decrypted_out = tor_memdup_nulterm(
encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN,
encrypted_blob_size - overhead);
return strlen(*decrypted_out);
size_t result = strlen(*decrypted_out);
if (result) {
return result;
} else {
tor_free(*decrypted_out);
return 0;
}
}
int