diff options
| author | Nick Mathewson <nickm@torproject.org> | 2013-12-16 13:00:15 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2013-12-16 13:06:00 -0500 |
| commit | d8cfa2ef4e6d57f6dd4a33e5b3cfb1a2a12fc4be (patch) | |
| tree | 995f347a060a3d7abadbc2f69daeddb4c1e174bc /src/or/dirvote.c | |
| parent | 9e907076025ccd91abfad7fc70c09ba4c9228f82 (diff) | |
| download | tor-d8cfa2ef4e6d57f6dd4a33e5b3cfb1a2a12fc4be.tar.gz tor-d8cfa2ef4e6d57f6dd4a33e5b3cfb1a2a12fc4be.zip | |
Avoid free()ing from an mmap on corrupted microdesc cache
The 'body' field of a microdesc_t holds a strdup()'d value if the
microdesc's saved_location field is SAVED_IN_JOURNAL or
SAVED_NOWHERE, and holds a pointer to the middle of an mmap if the
microdesc is SAVED_IN_CACHE. But we weren't setting that field
until a while after we parsed the microdescriptor, which left an
interval where microdesc_free() would try to free() the middle of
the mmap().
This patch also includes a regression test.
This is a fix for #10409; bugfix on 0.2.2.6-alpha.
Diffstat (limited to 'src/or/dirvote.c')
| -rw-r--r-- | src/or/dirvote.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/or/dirvote.c b/src/or/dirvote.c index 144859ae04..ab2225cf02 100644 --- a/src/or/dirvote.c +++ b/src/or/dirvote.c @@ -3538,7 +3538,8 @@ dirvote_create_microdescriptor(const routerinfo_t *ri) { smartlist_t *lst = microdescs_parse_from_string(output, - output+strlen(output), 0, 1); + output+strlen(output), 0, + SAVED_NOWHERE); if (smartlist_len(lst) != 1) { log_warn(LD_DIR, "We generated a microdescriptor we couldn't parse."); SMARTLIST_FOREACH(lst, microdesc_t *, md, microdesc_free(md)); |