From dfee17328950628686bf2c78a8983871f36d97cf Mon Sep 17 00:00:00 2001 From: Sebastian Hahn Date: Sun, 7 Feb 2010 06:30:55 +0100 Subject: [PATCH] lookup_last_hid_serv_request() could overflow and leak memory The problem was that we didn't allocate enough memory on 32-bit platforms with 64-bit time_t. The memory leak occured every time we fetched a hidden service descriptor we've fetched before. --- ChangeLog | 7 +++++++ src/or/rendclient.c | 7 +++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 592c39f8a9..973f69b36b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,13 @@ Changes in version 0.2.1.23 - 2010-0?-?? automatically discard guards picked using the old algorithm. Fixes bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry. + o Major bugfixes: + - Fix a potential buffer overflow in lookup_last_hid_serv_request() + that could happen on 32-bit platforms with 64-bit time_t. Also fix + a memory leak when requesting a hidden service descriptor we've + requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found + by aakova. + o Minor bugfixes: - When deciding whether to use strange flags to turn TLS renegotiation on, detect the OpenSSL version at run-time, not compile time. We diff --git a/src/or/rendclient.c b/src/or/rendclient.c index 47a8818a50..e252174b48 100644 --- a/src/or/rendclient.c +++ b/src/or/rendclient.c @@ -354,9 +354,12 @@ lookup_last_hid_serv_request(routerstatus_t *hs_dir, tor_snprintf(hsdir_desc_comb_id, sizeof(hsdir_desc_comb_id), "%s%s", hsdir_id_base32, desc_id_base32); if (set) { - last_request_ptr = tor_malloc_zero(sizeof(time_t *)); + time_t *oldptr; + last_request_ptr = tor_malloc_zero(sizeof(time_t)); *last_request_ptr = now; - strmap_set(last_hid_serv_requests, hsdir_desc_comb_id, last_request_ptr); + oldptr = strmap_set(last_hid_serv_requests, hsdir_desc_comb_id, + last_request_ptr); + tor_free(oldptr); } else last_request_ptr = strmap_get_lc(last_hid_serv_requests, hsdir_desc_comb_id);