commit 412bcc5b2afcc965a6c8e6d09c3bda62df39bcc5
parent 454bdb22eeb4637a8bb5e40deb8454311f4ba4a2
Author: Nick Mathewson <nickm@torproject.org>
Date: Wed, 10 Apr 2019 11:31:33 -0400
Merge remote-tracking branch 'tor-github/pr/926' into maint-0.4.0
Diffstat:
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/changes/bug30040 b/changes/bug30040
@@ -0,0 +1,9 @@
+ o Minor bugfixes (security):
+ - Fix a potential double free bug when reading huge bandwidth files. The
+ issue is not exploitable in the current Tor network because the
+ vulnerable code is only reached when directory authorities read bandwidth
+ files, but bandwidth files come from a trusted source (usually the
+ authorities themselves). Furthermore, the issue is only exploitable in
+ rare (non-POSIX) 32-bit architectures which are not used by any of the
+ current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found
+ and fixed by Tobias Stoeckmann.
diff --git a/src/ext/getdelim.c b/src/ext/getdelim.c
@@ -67,7 +67,8 @@ compat_getdelim_(char **buf, size_t *bufsiz, int delimiter, FILE *fp)
char *nbuf;
size_t nbufsiz = *bufsiz * 2;
ssize_t d = ptr - *buf;
- if ((nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
+ if (nbufsiz < *bufsiz ||
+ (nbuf = raw_realloc(*buf, nbufsiz)) == NULL)
return -1;
*buf = nbuf;
*bufsiz = nbufsiz;
