summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--changes/policy_summarize-assert6
-rw-r--r--src/or/policies.c4
2 files changed, 8 insertions, 2 deletions
diff --git a/changes/policy_summarize-assert b/changes/policy_summarize-assert
new file mode 100644
index 0000000000..619e8e7e42
--- /dev/null
+++ b/changes/policy_summarize-assert
@@ -0,0 +1,6 @@
+ o Major bugfixes (security)
+ - Fix a bounds-checking error that could allow an attacker to
+ remotely crash a directory authority. Found by piebeer.
+ Bugfix on 0.2.1.5-alpha.
+
+
diff --git a/src/or/policies.c b/src/or/policies.c
index 6947222b2e..62e048cfc2 100644
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -1243,8 +1243,8 @@ policy_summarize(smartlist_t *policy)
accepts_str = smartlist_join_strings(accepts, ",", 0, &accepts_len);
rejects_str = smartlist_join_strings(rejects, ",", 0, &rejects_len);
- if (rejects_len > MAX_EXITPOLICY_SUMMARY_LEN &&
- accepts_len > MAX_EXITPOLICY_SUMMARY_LEN) {
+ if (rejects_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("reject")-1 &&
+ accepts_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("accept")-1) {
char *c;
shorter_str = accepts_str;
prefix = "accept";
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion