Fix possible UB in an end-of-string check in get_next_token().

Remember, you can't check to see if there are N bytes left in a buffer by doing (buf + N < end), since the buf + N computation might take you off the end of the buffer and result in undefined behavior. Fixes 28202; bugfix on 0.2.0.3-alpha.
author: Nick Mathewson <nickm@torproject.org> 2018-10-25 09:06:13 -0400
committer: Nick Mathewson <nickm@torproject.org> 2018-10-25 09:06:13 -0400
commit: 368413a321a65234c0256c4ea80c613207cf7587 (patch)
tree: 63b88d347e2f9706494c7d210002c6ed1451afd1 /src
parent: 5b28190c67ac6828e588c0ec54fe88eab0fb45fb (diff)
download: tor-368413a321a65234c0256c4ea80c613207cf7587.tar.gz
tor-368413a321a65234c0256c4ea80c613207cf7587.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 521e237be2..063cbbcdaf 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -4964,7 +4964,7 @@ get_next_token(memarea_t *area,
     goto check_object;
 
   obstart = *s; /* Set obstart to start of object spec */
-  if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
+  if (eol - *s <= 16 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
       strcmp_len(eol-5, "-----", 5) ||           /* nuls or invalid endings */
       (eol-*s) > MAX_UNPARSED_OBJECT_SIZE) {     /* name too long */
     RET_ERR("Malformed object: bad begin line");
author	Nick Mathewson <nickm@torproject.org>	2018-10-25 09:06:13 -0400
committer	Nick Mathewson <nickm@torproject.org>	2018-10-25 09:06:13 -0400
commit	368413a321a65234c0256c4ea80c613207cf7587 (patch)
tree	63b88d347e2f9706494c7d210002c6ed1451afd1 /src
parent	5b28190c67ac6828e588c0ec54fe88eab0fb45fb (diff)
download	tor-368413a321a65234c0256c4ea80c613207cf7587.tar.gz tor-368413a321a65234c0256c4ea80c613207cf7587.zip