From 719b5c1d27c678d4c2c705a8e4942b0f93070bdc Mon Sep 17 00:00:00 2001 From: rl1987 Date: Mon, 4 Jun 2018 12:27:10 +0300 Subject: Avoid out-of-bounds smartlist access in protover_compute_vote() and contract_protocol_list() --- changes/bug26196 | 4 ++++ src/or/protover.c | 13 +++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 changes/bug26196 diff --git a/changes/bug26196 b/changes/bug26196 new file mode 100644 index 0000000000..47fcffa0f8 --- /dev/null +++ b/changes/bug26196 @@ -0,0 +1,4 @@ + o Minor bugfixes (hardening): + - Prevent a possible out-of-bounds smartlist read in + protover_compute_vote(). Fixes bug 26196; bugfix on + 0.2.9.4-alpha. diff --git a/src/or/protover.c b/src/or/protover.c index 0c79037f68..31ca13fe61 100644 --- a/src/or/protover.c +++ b/src/or/protover.c @@ -453,6 +453,10 @@ cmp_single_ent_by_version(const void **a_, const void **b_) static char * contract_protocol_list(const smartlist_t *proto_strings) { + if (smartlist_len(proto_strings) == 0) { + return tor_strdup(""); + } + // map from name to list of single-version entries strmap_t *entry_lists_by_name = strmap_new(); // list of protocol names @@ -561,6 +565,10 @@ char * protover_compute_vote(const smartlist_t *list_of_proto_strings, int threshold) { + if (smartlist_len(list_of_proto_strings) == 0) { + return tor_strdup(""); + } + smartlist_t *all_entries = smartlist_new(); // First, parse the inputs and break them into singleton entries. @@ -587,6 +595,11 @@ protover_compute_vote(const smartlist_t *list_of_proto_strings, smartlist_free(unexpanded); } SMARTLIST_FOREACH_END(vote); + if (smartlist_len(all_entries) == 0) { + smartlist_free(all_entries); + return tor_strdup(""); + } + // Now sort the singleton entries smartlist_sort_strings(all_entries); -- cgit v1.2.3-54-g00ecf