diff options
| author | John Brooks <special@torproject.org> | 2016-05-11 12:13:22 -0400 |
|---|---|---|
| committer | John Brooks <special@torproject.org> | 2016-05-11 13:11:03 -0400 |
| commit | bf3e32a45288b64e5535e02f40bd2bcb93c8a520 (patch) | |
| tree | d3ae8afc737e828e69cbf6a583cadb0908a849f0 /src/or/networkstatus.c | |
| parent | 61c0bae4f20556cf155562582ea00a6a147252d6 (diff) | |
| download | tor-bf3e32a45288b64e5535e02f40bd2bcb93c8a520.tar.gz tor-bf3e32a45288b64e5535e02f40bd2bcb93c8a520.zip | |
Fix out-of-bounds write during voting with duplicate ed25519 keys
In dirserv_compute_performance_thresholds, we allocate arrays based
on the length of 'routers', a list of routerinfo_t, but loop over
the nodelist. The 'routers' list may be shorter when relays were
filtered by routers_make_ed_keys_unique, leading to an out-of-bounds
write on directory authorities.
This bug was originally introduced in 26e89742, but it doesn't look
possible to trigger until routers_make_ed_keys_unique was introduced
in 13a31e72.
Fixes bug 19032; bugfix on tor 0.2.8.2-alpha.
Diffstat (limited to 'src/or/networkstatus.c')
| -rw-r--r-- | src/or/networkstatus.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/src/or/networkstatus.c b/src/or/networkstatus.c index a9b22ed1cc..f72e9d583c 100644 --- a/src/or/networkstatus.c +++ b/src/or/networkstatus.c @@ -1697,11 +1697,10 @@ networkstatus_dump_bridge_status_to_file(time_t now) char *fname = NULL; char *thresholds = NULL; char *published_thresholds_and_status = NULL; - routerlist_t *rl = router_get_routerlist(); char published[ISO_TIME_LEN+1]; format_iso_time(published, now); - dirserv_compute_bridge_flag_thresholds(rl->routers); + dirserv_compute_bridge_flag_thresholds(); thresholds = dirserv_get_flag_thresholds_line(); tor_asprintf(&published_thresholds_and_status, "published %s\nflag-thresholds %s\n%s", |