[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] bugfixes: smartlist_join_strings2() was underflowing a size_t

To: or-cvs@xxxxxxxxxxxxx
Subject: [or-cvs] bugfixes: smartlist_join_strings2() was underflowing a size_t
From: arma@xxxxxxxx
Date: Mon, 18 Jul 2005 19:11:48 -0400 (EDT)
Delivered-to: archiver@seul.org
Delivered-to: or-cvs-outgoing@seul.org
Delivered-to: or-cvs@seul.org
Delivery-date: Mon, 18 Jul 2005 19:12:00 -0400
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-cvs@xxxxxxxxxxxxx

Update of /home2/or/cvsroot/tor/src/common
In directory moria:/home/arma/work/onion/cvs/tor/src/common

Modified Files:
	container.c 
Log Message:
bugfixes: smartlist_join_strings2() was underflowing a size_t
if you gave it an empty smartlist; and it wasn't terminating in
this case even if you asked it to.

this does not appear to be exploitable in any reasonable cases.


Index: container.c
===================================================================
RCS file: /home2/or/cvsroot/tor/src/common/container.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -d -r1.28 -r1.29
--- container.c	11 Jun 2005 05:31:15 -0000	1.28
+++ container.c	18 Jul 2005 23:11:46 -0000	1.29
@@ -357,6 +357,10 @@
 
   tor_assert(sl);
   tor_assert(join);
+
+  if (sl->num_used == 0)
+    n = join_len; /* special-case this one, to avoid underflow */
+
   for (i = 0; i < sl->num_used; ++i) {
     n += strlen(sl->list[i]);
     n += join_len;
@@ -371,6 +375,11 @@
       dst += join_len;
     }
   }
+  if (sl->num_used == 0 && terminate) {
+    /* another special case for length == 0 */
+    memcpy(dst, join, join_len);
+    dst += join_len;
+  }
   *dst = '\0';
 
   if (len_out)

Prev by Author: [or-cvs] get the url right for the 0.1.0.11 release
Next by Author: [or-cvs] slightly cleaner fix
Previous by thread: [or-cvs] get the url right for the 0.1.0.11 release
Next by thread: [or-cvs] slightly cleaner fix
Index(es):
- Author
- Thread