Merge remote-tracking branch 'tor-github/pr/926' into maint-0.4.0

2 files changed, 11 insertions, 1 deletions

diff --git a/changes/bug30040 b/changes/bug30040
new file mode 100644
index 0000000000..7d80528a10
--- /dev/null
+++ b/changes/bug30040
@@ -0,0 +1,9 @@
+  o Minor bugfixes (security):
+    - Fix a potential double free bug when reading huge bandwidth files. The
+      issue is not exploitable in the current Tor network because the
+      vulnerable code is only reached when directory authorities read bandwidth
+      files, but bandwidth files come from a trusted source (usually the
+      authorities themselves). Furthermore, the issue is only exploitable in
+      rare (non-POSIX) 32-bit architectures which are not used by any of the
+      current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found
+      and fixed by Tobias Stoeckmann.
diff --git a/src/ext/getdelim.c b/src/ext/getdelim.c
index 8254103ff9..1c29baffd9 100644
--- a/src/ext/getdelim.c
+++ b/src/ext/getdelim.c
@@ -67,7 +67,8 @@ compat_getdelim_(char **buf, size_t *bufsiz, int delimiter, FILE *fp)
 			char *nbuf;
 			size_t nbufsiz = *bufsiz * 2;
 			ssize_t d = ptr - *buf;
-			if ((nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
+			if (nbufsiz < *bufsiz ||
+			    (nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
 				return -1;
 			*buf = nbuf;
 			*bufsiz = nbufsiz;