diff options
| author | cypherpunks <writecode@127.0.0.1> | 2011-04-27 11:10:56 -0700 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2011-04-27 15:15:32 -0400 |
| commit | 247cbab6c8a37c5e6225bfd60491b071a29331e4 (patch) | |
| tree | 4da9f6245c1217cff18871e1367a3dee9cc4838e | |
| parent | 0f48e8fa9ad68f56c7b1076872848bd0f1e524b2 (diff) | |
| download | tor-247cbab6c8a37c5e6225bfd60491b071a29331e4.tar.gz tor-247cbab6c8a37c5e6225bfd60491b071a29331e4.zip | |
Fix double-free bug in microdesc parser
| -rw-r--r-- | changes/microdesc-double-free | 7 | ||||
| -rw-r--r-- | src/or/routerparse.c | 1 |
2 files changed, 8 insertions, 0 deletions
diff --git a/changes/microdesc-double-free b/changes/microdesc-double-free new file mode 100644 index 0000000000..932cc754ba --- /dev/null +++ b/changes/microdesc-double-free @@ -0,0 +1,7 @@ + o Security fixes: + - Don't double-free a parsable, but invalid, microdescriptor, even + if it is followed in the blob we're parsing by an unparsable + microdescriptor. Fixes an issue reported in a comment on bug 2954. + Bugfix on 0.2.2.6-alpha; fix by "cypherpunks". + + diff --git a/src/or/routerparse.c b/src/or/routerparse.c index ba29f056f1..d0138e638b 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4357,6 +4357,7 @@ microdescs_parse_from_string(const char *s, const char *eos, md = NULL; next: microdesc_free(md); + md = NULL; memarea_clear(area); smartlist_clear(tokens); |