[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] [tor/maint-0.2.1] lookup_last_hid_serv_request() could overflow and leak memory
Author: Sebastian Hahn <sebastian@xxxxxxxxxxxxxx>
Date: Sun, 7 Feb 2010 06:30:55 +0100
Subject: lookup_last_hid_serv_request() could overflow and leak memory
Commit: dfee17328950628686bf2c78a8983871f36d97cf
The problem was that we didn't allocate enough memory on 32-bit
platforms with 64-bit time_t. The memory leak occured every time
we fetched a hidden service descriptor we've fetched before.
---
ChangeLog | 7 +++++++
src/or/rendclient.c | 7 +++++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 592c39f..973f69b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,13 @@ Changes in version 0.2.1.23 - 2010-0?-??
automatically discard guards picked using the old algorithm. Fixes
bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
+ o Major bugfixes:
+ - Fix a potential buffer overflow in lookup_last_hid_serv_request()
+ that could happen on 32-bit platforms with 64-bit time_t. Also fix
+ a memory leak when requesting a hidden service descriptor we've
+ requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found
+ by aakova.
+
o Minor bugfixes:
- When deciding whether to use strange flags to turn TLS renegotiation
on, detect the OpenSSL version at run-time, not compile time. We
diff --git a/src/or/rendclient.c b/src/or/rendclient.c
index 47a8818..e252174 100644
--- a/src/or/rendclient.c
+++ b/src/or/rendclient.c
@@ -354,9 +354,12 @@ lookup_last_hid_serv_request(routerstatus_t *hs_dir,
tor_snprintf(hsdir_desc_comb_id, sizeof(hsdir_desc_comb_id), "%s%s",
hsdir_id_base32, desc_id_base32);
if (set) {
- last_request_ptr = tor_malloc_zero(sizeof(time_t *));
+ time_t *oldptr;
+ last_request_ptr = tor_malloc_zero(sizeof(time_t));
*last_request_ptr = now;
- strmap_set(last_hid_serv_requests, hsdir_desc_comb_id, last_request_ptr);
+ oldptr = strmap_set(last_hid_serv_requests, hsdir_desc_comb_id,
+ last_request_ptr);
+ tor_free(oldptr);
} else
last_request_ptr = strmap_get_lc(last_hid_serv_requests,
hsdir_desc_comb_id);
--
1.6.5