diff options
author | Nick Mathewson <nickm@torproject.org> | 2017-06-27 11:04:44 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2017-06-27 11:04:44 -0400 |
commit | 3483f7c00349be6cba7b703f2e5ee94563d0c6eb (patch) | |
tree | f52fd3a933a1ceb6750576779e8bb476470cc5a4 | |
parent | 307be8d4a7f1607b14bac6d9ed757e20a2008a16 (diff) | |
parent | 9a0fd2dbb187e898f63064c483776538a90562f1 (diff) | |
download | tor-3483f7c00349be6cba7b703f2e5ee94563d0c6eb.tar.gz tor-3483f7c00349be6cba7b703f2e5ee94563d0c6eb.zip |
Merge branch 'maint-0.2.7-redux' into maint-0.2.8
-rw-r--r-- | changes/bug22737 | 12 | ||||
-rw-r--r-- | src/or/connection_or.c | 4 |
2 files changed, 15 insertions, 1 deletions
diff --git a/changes/bug22737 b/changes/bug22737 new file mode 100644 index 0000000000..f0de8e6c41 --- /dev/null +++ b/changes/bug22737 @@ -0,0 +1,12 @@ + o Minor bugfixes (defensive programming, undefined behavior): + + - Fix a memset() off the end of an array when packing cells. This + bug should be harmless in practice, since the corrupted bytes + are still in the same structure, and are always padding bytes, + ignored, or immediately overwritten, depending on compiler + behavior. Nevertheless, because the memset()'s purpose is to + make sure that any other cell-handling bugs can't expose bytes + to the network, we need to fix it. Fixes bug 22737; bugfix on + 0.2.4.11-alpha. Fixes CID 1401591. + + diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 9730e1a952..3892ac02fb 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -431,9 +431,11 @@ cell_pack(packed_cell_t *dst, const cell_t *src, int wide_circ_ids) set_uint32(dest, htonl(src->circ_id)); dest += 4; } else { + /* Clear the last two bytes of dest, in case we can accidentally + * send them to the network somehow. */ + memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); set_uint16(dest, htons(src->circ_id)); dest += 2; - memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); /*make sure it's clear */ } set_uint8(dest, src->command); memcpy(dest+1, src->payload, CELL_PAYLOAD_SIZE); |