Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Fix possible UB in an end-of-string check in get_next_token().

Remember, you can't check to see if there are N bytes left in a
buffer by doing (buf + N < end), since the buf + N computation might
take you off the end of the buffer and result in undefined behavior.

Fixes 28202; bugfix on 0.2.0.3-alpha.
Nick Mathewson 6 years ago
parent
5b28190c67
commit
368413a321
2 changed files with 5 additions and 1 deletions
Split View Show Diff Stats
  1. 4 0
      changes/bug28202
  2. 1 1
      src/or/routerparse.c

+ 4 - 0
changes/bug28202
View File 

@@ -0,0 +1,4 @@
 
+  o Minor bugfixes (C correctness):
 
+    - Avoid undefined behavior in an end-of-string check when parsing the
 
+      BEGIN line in a directory object.  Fixes bug 28202; bugfix on
 
+      0.2.0.3-alpha.

+ 1 - 1
src/or/routerparse.c
View File 

@@ -4964,7 +4964,7 @@ get_next_token(memarea_t *area,
 
     goto check_object;
 
 
   obstart = *s; /* Set obstart to start of object spec */
 
-  if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
 
+  if (eol - *s <= 16 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
 
       strcmp_len(eol-5, "-----", 5) ||           /* nuls or invalid endings */
 
       (eol-*s) > MAX_UNPARSED_OBJECT_SIZE) {     /* name too long */
 
     RET_ERR("Malformed object: bad begin line");