Merge branch 'maint-0.2.9' into maint-0.3.1

2 files changed, 17 insertions, 0 deletions

diff --git a/changes/bug26196 b/changes/bug26196
new file mode 100644
index 0000000000..47fcffa0f8
--- /dev/null
+++ b/changes/bug26196
@@ -0,0 +1,4 @@
+  o Minor bugfixes (hardening):
+    - Prevent a possible out-of-bounds smartlist read in
+      protover_compute_vote(). Fixes bug 26196; bugfix on
+      0.2.9.4-alpha.
diff --git a/src/or/protover.c b/src/or/protover.c
index 45f0377d61..e8524a25b5 100644
--- a/src/or/protover.c
+++ b/src/or/protover.c
@@ -453,6 +453,10 @@ cmp_single_ent_by_version(const void **a_, const void **b_)
 static char *
 contract_protocol_list(const smartlist_t *proto_strings)
 {
+  if (smartlist_len(proto_strings) == 0) {
+    return tor_strdup("");
+  }
+
   // map from name to list of single-version entries
   strmap_t *entry_lists_by_name = strmap_new();
   // list of protocol names
@@ -561,6 +565,10 @@ char *
 protover_compute_vote(const smartlist_t *list_of_proto_strings,
                       int threshold)
 {
+  if (smartlist_len(list_of_proto_strings) == 0) {
+    return tor_strdup("");
+  }
+
   smartlist_t *all_entries = smartlist_new();
 
   // First, parse the inputs and break them into singleton entries.
@@ -587,6 +595,11 @@ protover_compute_vote(const smartlist_t *list_of_proto_strings,
     smartlist_free(unexpanded);
   } SMARTLIST_FOREACH_END(vote);
 
+  if (smartlist_len(all_entries) == 0) {
+    smartlist_free(all_entries);
+    return tor_strdup("");
+  }
+
   // Now sort the singleton entries
   smartlist_sort_strings(all_entries);