Merge branch 'maint-0.2.4' into maint-0.2.5

2 files changed, 15 insertions, 1 deletions

diff --git a/changes/bug22737 b/changes/bug22737
new file mode 100644
index 0000000000..f0de8e6c41
--- /dev/null
+++ b/changes/bug22737
@@ -0,0 +1,12 @@
+  o Minor bugfixes (defensive programming, undefined behavior):
+
+    - Fix a memset() off the end of an array when packing cells.  This
+      bug should be harmless in practice, since the corrupted bytes
+      are still in the same structure, and are always padding bytes,
+      ignored, or immediately overwritten, depending on compiler
+      behavior. Nevertheless, because the memset()'s purpose is to
+      make sure that any other cell-handling bugs can't expose bytes
+      to the network, we need to fix it. Fixes bug 22737; bugfix on
+      0.2.4.11-alpha. Fixes CID 1401591.
+
+
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index c372270b4c..8c8094b440 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -427,9 +427,11 @@ cell_pack(packed_cell_t *dst, const cell_t *src, int wide_circ_ids)
     set_uint32(dest, htonl(src->circ_id));
     dest += 4;
   } else {
+    /* Clear the last two bytes of dest, in case we can accidentally
+     * send them to the network somehow. */
+    memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2);
     set_uint16(dest, htons(src->circ_id));
     dest += 2;
-    memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); /*make sure it's clear */
   }
   set_uint8(dest, src->command);
   memcpy(dest+1, src->payload, CELL_PAYLOAD_SIZE);