aboutsummaryrefslogtreecommitdiff
path: root/src/or/rendcommon.c
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2011-01-13 14:36:41 -0500
committerNick Mathewson <nickm@torproject.org>2011-01-15 11:49:25 -0500
commit115782bdbe42e4b3d5cb386d2939a883bc381d12 (patch)
treefacebd78bfcd426d3404999e5237c502fb34ebaa /src/or/rendcommon.c
parenta16902b9d4b0a912eb0a252bb945cbeaaa40dacb (diff)
downloadtor-115782bdbe42e4b3d5cb386d2939a883bc381d12.tar.gz
tor-115782bdbe42e4b3d5cb386d2939a883bc381d12.zip
Fix a heap overflow found by debuger, and make it harder to make that mistake again
Our public key functions assumed that they were always writing into a large enough buffer. In one case, they weren't. (Incorporates fixes from sebastian)
Diffstat (limited to 'src/or/rendcommon.c')
-rw-r--r--src/or/rendcommon.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c
index 1d96f3daf5..d6f5443815 100644
--- a/src/or/rendcommon.c
+++ b/src/or/rendcommon.c
@@ -700,7 +700,9 @@ rend_encode_service_descriptor(rend_service_descriptor_t *desc,
cp += ipoint_len+1;
}
note_crypto_pk_op(REND_SERVER);
- r = crypto_pk_private_sign_digest(key, cp, *str_out, cp-*str_out);
+ r = crypto_pk_private_sign_digest(key,
+ cp, buflen - (cp - *str_out),
+ *str_out, cp-*str_out);
if (r<0) {
tor_free(*str_out);
return -1;