commit 86819229afde13ae8466ee782f4c4bd9ba6f37cd
parent 4a24673436b2f8cf7a6bbbb353f97f1ae403e411
Author: Nick Mathewson <nickm@torproject.org>
Date: Mon, 6 Dec 2021 12:35:08 -0500
Limit the number of elements in a consdiff hash line.
This avoids performing and then freeing a lot of small mallocs() if
the hash line has too many elements.
Fixes one case of bug 40472; resolves OSS-Fuzz 38363. Bugfix on
0.3.1.1-alpha when the consdiff parsing code was introduced.
Diffstat:
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/changes/bug40472 b/changes/bug40472
@@ -0,0 +1,6 @@
+ o Minor bugfixes (performance, DoS):
+ - Fix one case of a not-especially viable denial-of-service attack found
+ by OSS-Fuzz in our consensus-diff parsing code. This attack causes a
+ lot small of memory allocations and then immediately frees them: this
+ is only slow when running with all the sanitizers enabled. Fixes one
+ case of bug 40472; bugfix on 0.3.1.1-alpha.
diff --git a/src/feature/dircommon/consdiff.c b/src/feature/dircommon/consdiff.c
@@ -1126,7 +1126,7 @@ consdiff_get_digests(const smartlist_t *diff,
{
const cdline_t *line2 = smartlist_get(diff, 1);
char *h = tor_memdup_nulterm(line2->s, line2->len);
- smartlist_split_string(hash_words, h, " ", 0, 0);
+ smartlist_split_string(hash_words, h, " ", 0, 4);
tor_free(h);
}
