[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] [tor/release-0.2.1] catch another overlong malloc possibility. found by cypherpunks



commit 1f3b4420233e83ef160ac41398827994ec7ae152
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date:   Sat Jan 15 10:42:11 2011 -0500

    catch another overlong malloc possibility. found by cypherpunks
---
 src/or/routerparse.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 070c61b..3aaefec 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -3105,7 +3105,8 @@ get_next_token(memarea_t *area,
 
   obstart = *s; /* Set obstart to start of object spec */
   if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
-      strcmp_len(eol-5, "-----", 5)) {          /* nuls or invalid endings */
+      strcmp_len(eol-5, "-----", 5) ||           /* nuls or invalid endings */
+      (eol-*s) > MAX_UNPARSED_OBJECT_SIZE) {     /* name too long */
     RET_ERR("Malformed object: bad begin line");
   }
   tok->object_type = STRNDUP(*s+11, eol-*s-16);