diff options
author | Nick Mathewson <nickm@torproject.org> | 2021-12-06 12:35:08 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2021-12-06 12:35:08 -0500 |
commit | 86819229afde13ae8466ee782f4c4bd9ba6f37cd (patch) | |
tree | 8e2b8c7e790248fb13b3231432b9ad7c4d83dd75 | |
parent | 4a24673436b2f8cf7a6bbbb353f97f1ae403e411 (diff) | |
download | tor-86819229afde13ae8466ee782f4c4bd9ba6f37cd.tar.gz tor-86819229afde13ae8466ee782f4c4bd9ba6f37cd.zip |
Limit the number of elements in a consdiff hash line.
This avoids performing and then freeing a lot of small mallocs() if
the hash line has too many elements.
Fixes one case of bug 40472; resolves OSS-Fuzz 38363. Bugfix on
0.3.1.1-alpha when the consdiff parsing code was introduced.
-rw-r--r-- | changes/bug40472 | 6 | ||||
-rw-r--r-- | src/feature/dircommon/consdiff.c | 2 |
2 files changed, 7 insertions, 1 deletions
diff --git a/changes/bug40472 b/changes/bug40472 new file mode 100644 index 0000000000..d87c1dc2cc --- /dev/null +++ b/changes/bug40472 @@ -0,0 +1,6 @@ + o Minor bugfixes (performance, DoS): + - Fix one case of a not-especially viable denial-of-service attack found + by OSS-Fuzz in our consensus-diff parsing code. This attack causes a + lot small of memory allocations and then immediately frees them: this + is only slow when running with all the sanitizers enabled. Fixes one + case of bug 40472; bugfix on 0.3.1.1-alpha. diff --git a/src/feature/dircommon/consdiff.c b/src/feature/dircommon/consdiff.c index d0f7594ce3..3c38e92dd6 100644 --- a/src/feature/dircommon/consdiff.c +++ b/src/feature/dircommon/consdiff.c @@ -1126,7 +1126,7 @@ consdiff_get_digests(const smartlist_t *diff, { const cdline_t *line2 = smartlist_get(diff, 1); char *h = tor_memdup_nulterm(line2->s, line2->len); - smartlist_split_string(hash_words, h, " ", 0, 0); + smartlist_split_string(hash_words, h, " ", 0, 4); tor_free(h); } |