summaryrefslogtreecommitdiff
path: root/src/test/fuzz
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2017-11-05 12:21:16 -0500
committerNick Mathewson <nickm@torproject.org>2017-11-06 12:59:11 -0500
commit5240afa713581a0bbba64547e00107a9cbf17f21 (patch)
tree4ebafaad43b03fc60c840478e8fa43dc9043d123 /src/test/fuzz
parent0386280487fce78b73e060234f515b850af9c589 (diff)
downloadtor-5240afa713581a0bbba64547e00107a9cbf17f21.tar.gz
tor-5240afa713581a0bbba64547e00107a9cbf17f21.zip
Fix a memory leak on decryption non-failure of v3 hsdesc
If it decrypts something that turns out to start with a NUL byte, then decrypt_desc_layer() will return 0 to indicate the length of its result. But 0 also indicates an error, which causes the result not to be freed by decrypt_desc_layer()'s callers. Since we're trying to stabilize 0.3.2.x, I've opted for the simpler possible fix here and made it so that an empty decrypted string will also count as an error. Fixes bug 24150 and OSS-Fuzz issue 3994. The original bug was present but unreachable in 0.3.1.1-alpha. I'm calling this a bugfix on 0.3.2.1-alpha since that's the first version where you could actually try to decrypt these descriptors.
Diffstat (limited to 'src/test/fuzz')
-rw-r--r--src/test/fuzz/fuzz_hsdescv3.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/src/test/fuzz/fuzz_hsdescv3.c b/src/test/fuzz/fuzz_hsdescv3.c
index 30e82c9252..428774e330 100644
--- a/src/test/fuzz/fuzz_hsdescv3.c
+++ b/src/test/fuzz/fuzz_hsdescv3.c
@@ -50,7 +50,13 @@ mock_decrypt_desc_layer(const hs_descriptor_t *desc,
*decrypted_out = tor_memdup_nulterm(
encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN,
encrypted_blob_size - overhead);
- return strlen(*decrypted_out);
+ size_t result = strlen(*decrypted_out);
+ if (result) {
+ return result;
+ } else {
+ tor_free(*decrypted_out);
+ return 0;
+ }
}
int