summaryrefslogtreecommitdiff
path: root/src/or/microdesc.c
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2013-12-16 13:00:15 -0500
committerNick Mathewson <nickm@torproject.org>2013-12-16 13:06:00 -0500
commitd8cfa2ef4e6d57f6dd4a33e5b3cfb1a2a12fc4be (patch)
tree995f347a060a3d7abadbc2f69daeddb4c1e174bc /src/or/microdesc.c
parent9e907076025ccd91abfad7fc70c09ba4c9228f82 (diff)
downloadtor-d8cfa2ef4e6d57f6dd4a33e5b3cfb1a2a12fc4be.tar.gz
tor-d8cfa2ef4e6d57f6dd4a33e5b3cfb1a2a12fc4be.zip
Avoid free()ing from an mmap on corrupted microdesc cache
The 'body' field of a microdesc_t holds a strdup()'d value if the microdesc's saved_location field is SAVED_IN_JOURNAL or SAVED_NOWHERE, and holds a pointer to the middle of an mmap if the microdesc is SAVED_IN_CACHE. But we weren't setting that field until a while after we parsed the microdescriptor, which left an interval where microdesc_free() would try to free() the middle of the mmap(). This patch also includes a regression test. This is a fix for #10409; bugfix on 0.2.2.6-alpha.
Diffstat (limited to 'src/or/microdesc.c')
-rw-r--r--src/or/microdesc.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/src/or/microdesc.c b/src/or/microdesc.c
index b4d22c1c62..6f9134cf29 100644
--- a/src/or/microdesc.c
+++ b/src/or/microdesc.c
@@ -149,11 +149,10 @@ microdescs_add_to_cache(microdesc_cache_t *cache,
{
smartlist_t *descriptors, *added;
const int allow_annotations = (where != SAVED_NOWHERE);
- const int copy_body = (where != SAVED_IN_CACHE);
descriptors = microdescs_parse_from_string(s, eos,
allow_annotations,
- copy_body);
+ where);
if (listed_at > 0) {
SMARTLIST_FOREACH(descriptors, microdesc_t *, md,
md->last_listed = listed_at);