瀏覽代碼

Avoid out-of-bounds smartlist access in protover_compute_vote()
and contract_protocol_list()

rl1987 6 年之前
父節點
當前提交
719b5c1d27
共有 2 個文件被更改,包括 17 次插入0 次删除
  1. 4 0
      changes/bug26196
  2. 13 0
      src/or/protover.c

+ 4 - 0
changes/bug26196

@@ -0,0 +1,4 @@
+  o Minor bugfixes (hardening):
+    - Prevent a possible out-of-bounds smartlist read in
+      protover_compute_vote(). Fixes bug 26196; bugfix on
+      0.2.9.4-alpha.

+ 13 - 0
src/or/protover.c

@@ -453,6 +453,10 @@ cmp_single_ent_by_version(const void **a_, const void **b_)
 static char *
 contract_protocol_list(const smartlist_t *proto_strings)
 {
+  if (smartlist_len(proto_strings) == 0) {
+    return tor_strdup("");
+  }
+
   // map from name to list of single-version entries
   strmap_t *entry_lists_by_name = strmap_new();
   // list of protocol names
@@ -561,6 +565,10 @@ char *
 protover_compute_vote(const smartlist_t *list_of_proto_strings,
                       int threshold)
 {
+  if (smartlist_len(list_of_proto_strings) == 0) {
+    return tor_strdup("");
+  }
+
   smartlist_t *all_entries = smartlist_new();
 
   // First, parse the inputs and break them into singleton entries.
@@ -587,6 +595,11 @@ protover_compute_vote(const smartlist_t *list_of_proto_strings,
     smartlist_free(unexpanded);
   } SMARTLIST_FOREACH_END(vote);
 
+  if (smartlist_len(all_entries) == 0) {
+    smartlist_free(all_entries);
+    return tor_strdup("");
+  }
+
   // Now sort the singleton entries
   smartlist_sort_strings(all_entries);