Merge branch 'did-sanity-memmem' into 'main'

add sanity check in tor_memmem Closes #40854 See merge request tpo/core/tor!785
author: David Goulet <dgoulet@torproject.org> 2023-11-22 15:01:03 +0000
committer: David Goulet <dgoulet@torproject.org> 2023-11-22 15:01:03 +0000
commit: 0ea2e15d84c375a36b9f6a471b21ca6537f78fc3 (patch)
tree: f4d4695d940711b81bbd8a47017e918193fc413b
parent: 45c1a36acb0c859d647014d2d41b8497ecebcc14 (diff)
parent: 0be627890cf43528cee90c0d216984279187922d (diff)
download: tor-0ea2e15d84c375a36b9f6a471b21ca6537f78fc3.tar.gz
tor-0ea2e15d84c375a36b9f6a471b21ca6537f78fc3.zip
2 files changed, 5 insertions, 0 deletions
diff --git a/changes/ticket40854 b/changes/ticket40854
new file mode 100644
index 0000000000..1a5850cca0
--- /dev/null
+++ b/changes/ticket40854
@@ -0,0 +1,3 @@
+  o Minor feature (defense in depth):
+    - verify needle is smaller than haystack before calling memmem.
+      Closes ticket 40854.
diff --git a/src/lib/string/util_string.c b/src/lib/string/util_string.c
index b1c0a11439..60b5933e4d 100644
--- a/src/lib/string/util_string.c
+++ b/src/lib/string/util_string.c
@@ -31,6 +31,8 @@ tor_memmem(const void *_haystack, size_t hlen,
 {
 #if defined(HAVE_MEMMEM) && (!defined(__GNUC__) || __GNUC__ >= 2)
   raw_assert(nlen);
+  if (nlen > hlen)
+    return NULL;
   return memmem(_haystack, hlen, _needle, nlen);
 #else
   /* This isn't as fast as the GLIBC implementation, but it doesn't need to
author	David Goulet <dgoulet@torproject.org>	2023-11-22 15:01:03 +0000
committer	David Goulet <dgoulet@torproject.org>	2023-11-22 15:01:03 +0000
commit	0ea2e15d84c375a36b9f6a471b21ca6537f78fc3 (patch)
tree	f4d4695d940711b81bbd8a47017e918193fc413b
parent	45c1a36acb0c859d647014d2d41b8497ecebcc14 (diff)
parent	0be627890cf43528cee90c0d216984279187922d (diff)
download	tor-0ea2e15d84c375a36b9f6a471b21ca6537f78fc3.tar.gz tor-0ea2e15d84c375a36b9f6a471b21ca6537f78fc3.zip