mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-13 22:53:44 +01:00
Merge branch 'bug22737_024' into maint-0.2.4
This commit is contained in:
commit
d56f699399
12
changes/bug22737
Normal file
12
changes/bug22737
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
o Minor bugfixes (defensive programming, undefined behavior):
|
||||||
|
|
||||||
|
- Fix a memset() off the end of an array when packing cells. This
|
||||||
|
bug should be harmless in practice, since the corrupted bytes
|
||||||
|
are still in the same structure, and are always padding bytes,
|
||||||
|
ignored, or immediately overwritten, depending on compiler
|
||||||
|
behavior. Nevertheless, because the memset()'s purpose is to
|
||||||
|
make sure that any other cell-handling bugs can't expose bytes
|
||||||
|
to the network, we need to fix it. Fixes bug 22737; bugfix on
|
||||||
|
0.2.4.11-alpha. Fixes CID 1401591.
|
||||||
|
|
||||||
|
|
@ -358,9 +358,11 @@ cell_pack(packed_cell_t *dst, const cell_t *src, int wide_circ_ids)
|
|||||||
set_uint32(dest, htonl(src->circ_id));
|
set_uint32(dest, htonl(src->circ_id));
|
||||||
dest += 4;
|
dest += 4;
|
||||||
} else {
|
} else {
|
||||||
|
/* Clear the last two bytes of dest, in case we can accidentally
|
||||||
|
* send them to the network somehow. */
|
||||||
|
memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2);
|
||||||
set_uint16(dest, htons(src->circ_id));
|
set_uint16(dest, htons(src->circ_id));
|
||||||
dest += 2;
|
dest += 2;
|
||||||
memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); /*make sure it's clear */
|
|
||||||
}
|
}
|
||||||
set_uint8(dest, src->command);
|
set_uint8(dest, src->command);
|
||||||
memcpy(dest+1, src->payload, CELL_PAYLOAD_SIZE);
|
memcpy(dest+1, src->payload, CELL_PAYLOAD_SIZE);
|
||||||
|
Loading…
Reference in New Issue
Block a user