mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-14 07:03:44 +01:00
5240afa713
If it decrypts something that turns out to start with a NUL byte, then decrypt_desc_layer() will return 0 to indicate the length of its result. But 0 also indicates an error, which causes the result not to be freed by decrypt_desc_layer()'s callers. Since we're trying to stabilize 0.3.2.x, I've opted for the simpler possible fix here and made it so that an empty decrypted string will also count as an error. Fixes bug 24150 and OSS-Fuzz issue 3994. The original bug was present but unreachable in 0.3.1.1-alpha. I'm calling this a bugfix on 0.3.2.1-alpha since that's the first version where you could actually try to decrypt these descriptors.
5 lines
229 B
Plaintext
5 lines
229 B
Plaintext
o Minor bugfixes (v3 onion services):
|
|
- Fix a memory leak when decrypting a badly formatted v3 onion
|
|
service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha.
|
|
Found by OSS-Fuzz; this is OSS-Fuzz issue 3994.
|