diff options
| author | Roger Dingledine <arma@torproject.org> | 2011-04-27 15:55:07 -0400 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2011-04-27 15:55:07 -0400 |
| commit | ed808143682bbd151df9ff84efffa084a36e6b33 (patch) | |
| tree | ae55a6eec38efd48fc12a02c2b4968dde23c1f2d | |
| parent | 4bb1f690314b60db13946424f9295291da7ec112 (diff) | |
| parent | cba1d29b7ff041dc222d69640f4d4330d31f7ea1 (diff) | |
| download | tor-ed808143682bbd151df9ff84efffa084a36e6b33.tar.gz tor-ed808143682bbd151df9ff84efffa084a36e6b33.zip | |
Merge branch 'maint-0.2.2' into release-0.2.2
| -rw-r--r-- | changes/microdesc-double-free | 7 | ||||
| -rw-r--r-- | src/or/circuituse.c | 9 | ||||
| -rw-r--r-- | src/or/dirserv.h | 2 | ||||
| -rw-r--r-- | src/or/routerparse.c | 1 |
4 files changed, 14 insertions, 5 deletions
diff --git a/changes/microdesc-double-free b/changes/microdesc-double-free new file mode 100644 index 0000000000..932cc754ba --- /dev/null +++ b/changes/microdesc-double-free @@ -0,0 +1,7 @@ + o Security fixes: + - Don't double-free a parsable, but invalid, microdescriptor, even + if it is followed in the blob we're parsing by an unparsable + microdescriptor. Fixes an issue reported in a comment on bug 2954. + Bugfix on 0.2.2.6-alpha; fix by "cypherpunks". + + diff --git a/src/or/circuituse.c b/src/or/circuituse.c index fd1cf6b9b7..8503dae46c 100644 --- a/src/or/circuituse.c +++ b/src/or/circuituse.c @@ -433,11 +433,11 @@ circuit_expire_building(void) "Extremely large value for circuit build timeout: %lds. " "Assuming clock jump. Purpose %d (%s)", (long)(now.tv_sec - victim->timestamp_created.tv_sec), - victim->purpose, + victim->purpose, circuit_purpose_to_string(victim->purpose)); } else if (circuit_build_times_count_close(&circ_times, - first_hop_succeeded, - victim->timestamp_created.tv_sec)) { + first_hop_succeeded, + victim->timestamp_created.tv_sec)) { circuit_build_times_set_timeout(&circ_times); } } @@ -770,7 +770,8 @@ circuit_expire_old_circuits_clientside(void) * on it, mark it for close. */ if (circ->timestamp_dirty && - circ->timestamp_dirty + get_options()->MaxCircuitDirtiness < now.tv_sec && + circ->timestamp_dirty + get_options()->MaxCircuitDirtiness < + now.tv_sec && !TO_ORIGIN_CIRCUIT(circ)->p_streams /* nothing attached */ ) { log_debug(LD_CIRC, "Closing n_circ_id %d (dirty %ld sec ago, " "purpose %d)", diff --git a/src/or/dirserv.h b/src/or/dirserv.h index a8a7060a36..569abfca2e 100644 --- a/src/or/dirserv.h +++ b/src/or/dirserv.h @@ -52,7 +52,7 @@ MAX_V_LINE_LEN \ ) -#define UNNAMED_ROUTER_NICKNAME "Unnamed" +#define UNNAMED_ROUTER_NICKNAME "Unnamed" int connection_dirserv_flushed_some(dir_connection_t *conn); diff --git a/src/or/routerparse.c b/src/or/routerparse.c index ba29f056f1..d0138e638b 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4357,6 +4357,7 @@ microdescs_parse_from_string(const char *s, const char *eos, md = NULL; next: microdesc_free(md); + md = NULL; memarea_clear(area); smartlist_clear(tokens); |