Merge branch 'memarea_overflow_027_squashed' into maint-0.2.8

author: Nick Mathewson <nickm@torproject.org> 2016-05-25 09:22:02 -0400
committer: Nick Mathewson <nickm@torproject.org> 2016-05-25 09:22:02 -0400
commit: 6abceca1826a018fb51e419fc4eb9721dd501acf (patch)
tree: 0450db6c193a6aaac8c80151f18b05982050c012 /changes
parent: 87134db57cc7cbbd801e5992ce6ca6a71e2ebfc8 (diff)
parent: be2d37ad3cbb5a36fee410f2e36e53b1ee019f48 (diff)
download: tor-6abceca1826a018fb51e419fc4eb9721dd501acf.tar.gz
tor-6abceca1826a018fb51e419fc4eb9721dd501acf.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/changes/memarea_overflow b/changes/memarea_overflow
new file mode 100644
index 0000000000..8fdc38cc09
--- /dev/null
+++ b/changes/memarea_overflow
@@ -0,0 +1,7 @@
+  o Minor bugfixes (pointer arithmetic):
+    - Fix a bug in memarea_alloc() that could have resulted in remote heap
+      write access, if Tor had ever passed an unchecked size to
+      memarea_alloc().  Fortunately, all the sizes we pass to memarea_alloc()
+      are pre-checked to be less than 128 kilobytes. Fixes bug 19150; bugfix
+      on 0.2.1.1-alpha. Bug found by Guido Vranken.
+
author	Nick Mathewson <nickm@torproject.org>	2016-05-25 09:22:02 -0400
committer	Nick Mathewson <nickm@torproject.org>	2016-05-25 09:22:02 -0400
commit	6abceca1826a018fb51e419fc4eb9721dd501acf (patch)
tree	0450db6c193a6aaac8c80151f18b05982050c012 /changes
parent	87134db57cc7cbbd801e5992ce6ca6a71e2ebfc8 (diff)
parent	be2d37ad3cbb5a36fee410f2e36e53b1ee019f48 (diff)
download	tor-6abceca1826a018fb51e419fc4eb9721dd501acf.tar.gz tor-6abceca1826a018fb51e419fc4eb9721dd501acf.zip