diff options
| author | Nick Mathewson <nickm@torproject.org> | 2013-12-16 13:00:15 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2013-12-16 13:06:00 -0500 |
| commit | d8cfa2ef4e6d57f6dd4a33e5b3cfb1a2a12fc4be (patch) | |
| tree | 995f347a060a3d7abadbc2f69daeddb4c1e174bc /src/or/microdesc.c | |
| parent | 9e907076025ccd91abfad7fc70c09ba4c9228f82 (diff) | |
| download | tor-d8cfa2ef4e6d57f6dd4a33e5b3cfb1a2a12fc4be.tar.gz tor-d8cfa2ef4e6d57f6dd4a33e5b3cfb1a2a12fc4be.zip | |
Avoid free()ing from an mmap on corrupted microdesc cache
The 'body' field of a microdesc_t holds a strdup()'d value if the
microdesc's saved_location field is SAVED_IN_JOURNAL or
SAVED_NOWHERE, and holds a pointer to the middle of an mmap if the
microdesc is SAVED_IN_CACHE. But we weren't setting that field
until a while after we parsed the microdescriptor, which left an
interval where microdesc_free() would try to free() the middle of
the mmap().
This patch also includes a regression test.
This is a fix for #10409; bugfix on 0.2.2.6-alpha.
Diffstat (limited to 'src/or/microdesc.c')
| -rw-r--r-- | src/or/microdesc.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/src/or/microdesc.c b/src/or/microdesc.c index b4d22c1c62..6f9134cf29 100644 --- a/src/or/microdesc.c +++ b/src/or/microdesc.c @@ -149,11 +149,10 @@ microdescs_add_to_cache(microdesc_cache_t *cache, { smartlist_t *descriptors, *added; const int allow_annotations = (where != SAVED_NOWHERE); - const int copy_body = (where != SAVED_IN_CACHE); descriptors = microdescs_parse_from_string(s, eos, allow_annotations, - copy_body); + where); if (listed_at > 0) { SMARTLIST_FOREACH(descriptors, microdesc_t *, md, md->last_listed = listed_at); |