commit 3be1e26b8d27b9baa89549fff56fadd2894ec00f
parent 60c46c6cd01092ccc17d5e8bd15778fd93d30d77
Author: Nick Mathewson <nickm@torproject.org>
Date: Wed, 10 Apr 2019 11:31:44 -0400
Merge branch 'maint-0.4.0'
Diffstat:
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/changes/bug30040 b/changes/bug30040
@@ -0,0 +1,9 @@
+ o Minor bugfixes (security):
+ - Fix a potential double free bug when reading huge bandwidth files. The
+ issue is not exploitable in the current Tor network because the
+ vulnerable code is only reached when directory authorities read bandwidth
+ files, but bandwidth files come from a trusted source (usually the
+ authorities themselves). Furthermore, the issue is only exploitable in
+ rare (non-POSIX) 32-bit architectures which are not used by any of the
+ current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found
+ and fixed by Tobias Stoeckmann.
diff --git a/src/ext/getdelim.c b/src/ext/getdelim.c
@@ -67,7 +67,8 @@ compat_getdelim_(char **buf, size_t *bufsiz, int delimiter, FILE *fp)
char *nbuf;
size_t nbufsiz = *bufsiz * 2;
ssize_t d = ptr - *buf;
- if ((nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
+ if (nbufsiz < *bufsiz ||
+ (nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
return -1;
*buf = nbuf;
*bufsiz = nbufsiz;
