diff options
| author | Nick Mathewson <nickm@torproject.org> | 2009-04-09 20:00:43 +0000 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2009-04-09 20:00:43 +0000 |
| commit | d7be44f2380186c913be5a927d67b55e30e313c4 (patch) | |
| tree | 34d27834c3b5213e8d4c79e9a99445356f7cbbd2 | |
| parent | 94e713bc5c4b8ce7db7ef1460e9a813030d93eec (diff) | |
| download | tor-d7be44f2380186c913be5a927d67b55e30e313c4.tar.gz tor-d7be44f2380186c913be5a927d67b55e30e313c4.zip | |
Partial backport for the relevant parts of 19250
svn:r19251
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | src/or/routerparse.c | 7 |
2 files changed, 7 insertions, 4 deletions
@@ -1,4 +1,8 @@ Changes in version 0.3.0.35 - 2009-??-?? + o Security fix: + - Avoid crashing in the presence of certain malformed descriptors. + Found by lark, and by automated fuzzing. + o Minor bugfixes: - When starting with a cache over a few days old, do not leak memory for the obsolete router descriptors in it. Bugfix on diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 87c5d4ba11..e3af4b16e5 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -378,7 +378,7 @@ static token_rule_t networkstatus_consensus_token_table[] = { T0N("opt", K_OPT, CONCAT_ARGS, OBJ_OK ), - T1N("dir-source", K_DIR_SOURCE, GE(3), NO_OBJ ), + T1N("dir-source", K_DIR_SOURCE, GE(6), NO_OBJ ), T1N("contact", K_CONTACT, CONCAT_ARGS, NO_OBJ ), T1N("vote-digest", K_VOTE_DIGEST, GE(1), NO_OBJ ), @@ -2212,7 +2212,7 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out, base16_decode(voter->vote_digest, sizeof(voter->vote_digest), tok->args[0], HEX_DIGEST_LEN) < 0) { log_warn(LD_DIR, "Error decoding vote digest %s in " - "network-status consensus.", escaped(tok->args[1])); + "network-status consensus.", escaped(tok->args[0])); goto err; } } @@ -2825,8 +2825,7 @@ get_next_token(const char **s, const char *eos, token_rule_t *table) goto check_object; obstart = *s; /* Set obstart to start of object spec */ - tor_assert(eol >= (*s+16)); - if (*s+11 >= eol-5 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */ + if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */ strcmp_len(eol-5, "-----", 5)) { /* nuls or invalid endings */ RET_ERR("Malformed object: bad begin line"); } |