diff options
-rw-r--r-- | changes/md_leak_bug | 5 | ||||
-rw-r--r-- | src/or/routerlist.c | 6 | ||||
-rw-r--r-- | src/or/routerparse.c | 2 |
3 files changed, 9 insertions, 4 deletions
diff --git a/changes/md_leak_bug b/changes/md_leak_bug new file mode 100644 index 0000000000..26270aacc3 --- /dev/null +++ b/changes/md_leak_bug @@ -0,0 +1,5 @@ + o Major bugfixes (security, OOM) + - Fix a memory leak that could occur if a microdescriptor parse + fails during the tokenizing step. This could enable a memory + exhaustion attack by directory servers. Fixes bug #11649; bugfix + on 0.2.2.6-alpha. diff --git a/src/or/routerlist.c b/src/or/routerlist.c index a7968beca2..9e59c332a1 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -460,10 +460,8 @@ authority_cert_dl_failed(const char *id_digest, int status) static const char *BAD_SIGNING_KEYS[] = { "09CD84F751FD6E955E0F8ADB497D5401470D697E", // Expires 2015-01-11 16:26:31 -// dizum still needs to rotate as of 2014-04-14 -//"0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26 -// dannenberg still needs to rotate as of 2014-04-14 -//"57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09 + "0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26 + "57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09 "87326329007AF781F587AF5B594E540B2B6C7630", // Expires 2014-07-17 11:10:09 "98CC82342DE8D298CF99D3F1A396475901E0D38E", // Expires 2014-11-10 13:18:56 "9904B52336713A5ADCB13E4FB14DC919E0D45571", // Expires 2014-04-20 20:01:01 diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 97e0bc8c85..3ff887c3ca 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4455,11 +4455,13 @@ microdescs_parse_from_string(const char *s, const char *eos, microdesc_free(md); md = NULL; + SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t)); memarea_clear(area); smartlist_clear(tokens); s = start_of_next_microdesc; } + SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t)); memarea_drop_all(area); smartlist_free(tokens); |