[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/maint-0.3.5] Fix possible UB in an end-of-string check in get_next_token().
commit 368413a321a65234c0256c4ea80c613207cf7587
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Thu Oct 25 09:06:13 2018 -0400
Fix possible UB in an end-of-string check in get_next_token().
Remember, you can't check to see if there are N bytes left in a
buffer by doing (buf + N < end), since the buf + N computation might
take you off the end of the buffer and result in undefined behavior.
Fixes 28202; bugfix on 0.2.0.3-alpha.
---
changes/bug28202 | 4 ++++
src/or/routerparse.c | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/changes/bug28202 b/changes/bug28202
new file mode 100644
index 000000000..182daac4f
--- /dev/null
+++ b/changes/bug28202
@@ -0,0 +1,4 @@
+ o Minor bugfixes (C correctness):
+ - Avoid undefined behavior in an end-of-string check when parsing the
+ BEGIN line in a directory object. Fixes bug 28202; bugfix on
+ 0.2.0.3-alpha.
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 521e237be..063cbbcda 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -4964,7 +4964,7 @@ get_next_token(memarea_t *area,
goto check_object;
obstart = *s; /* Set obstart to start of object spec */
- if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
+ if (eol - *s <= 16 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
strcmp_len(eol-5, "-----", 5) || /* nuls or invalid endings */
(eol-*s) > MAX_UNPARSED_OBJECT_SIZE) { /* name too long */
RET_ERR("Malformed object: bad begin line");
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits