Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge remote-tracking branch 'tor-github/pr/926' into maint-0.3.5

teor 6 years ago
parent
955cf9620c 2cdc6b2005
commit
9be65c440b
2 changed files with 11 additions and 1 deletions
Split View Show Diff Stats
  1. 9 0
      changes/bug30040
  2. 2 1
      src/ext/getdelim.c

+ 9 - 0
changes/bug30040
View File 

@@ -0,0 +1,9 @@
 
+  o Minor bugfixes (security):
 
+    - Fix a potential double free bug when reading huge bandwidth files. The
 
+      issue is not exploitable in the current Tor network because the
 
+      vulnerable code is only reached when directory authorities read bandwidth
 
+      files, but bandwidth files come from a trusted source (usually the
 
+      authorities themselves). Furthermore, the issue is only exploitable in
 
+      rare (non-POSIX) 32-bit architectures which are not used by any of the
 
+      current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found
 
+      and fixed by Tobias Stoeckmann.

+ 2 - 1
src/ext/getdelim.c
View File 

@@ -67,7 +67,8 @@ compat_getdelim_(char **buf, size_t *bufsiz, int delimiter, FILE *fp)
 
 			char *nbuf;
 
 			size_t nbufsiz = *bufsiz * 2;
 
 			ssize_t d = ptr - *buf;
 
-			if ((nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
 
+			if (nbufsiz < *bufsiz ||
 
+			    (nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
 
 				return -1;
 
 			*buf = nbuf;
 
 			*bufsiz = nbufsiz;