diff options
| -rw-r--r-- | changes/bug30040 | 9 | ||||
| -rw-r--r-- | src/ext/getdelim.c | 3 |
2 files changed, 11 insertions, 1 deletions
diff --git a/changes/bug30040 b/changes/bug30040 new file mode 100644 index 0000000000..7d80528a10 --- /dev/null +++ b/changes/bug30040 @@ -0,0 +1,9 @@ + o Minor bugfixes (security): + - Fix a potential double free bug when reading huge bandwidth files. The + issue is not exploitable in the current Tor network because the + vulnerable code is only reached when directory authorities read bandwidth + files, but bandwidth files come from a trusted source (usually the + authorities themselves). Furthermore, the issue is only exploitable in + rare (non-POSIX) 32-bit architectures which are not used by any of the + current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found + and fixed by Tobias Stoeckmann. diff --git a/src/ext/getdelim.c b/src/ext/getdelim.c index 8254103ff9..1c29baffd9 100644 --- a/src/ext/getdelim.c +++ b/src/ext/getdelim.c @@ -67,7 +67,8 @@ compat_getdelim_(char **buf, size_t *bufsiz, int delimiter, FILE *fp) char *nbuf; size_t nbufsiz = *bufsiz * 2; ssize_t d = ptr - *buf; - if ((nbuf = raw_realloc(*buf, nbufsiz)) == NULL) + if (nbufsiz < *bufsiz || + (nbuf = raw_realloc(*buf, nbufsiz)) == NULL) return -1; *buf = nbuf; *bufsiz = nbufsiz; |