commit 9a0fd2dbb187e898f63064c483776538a90562f1
parent 24ee8595bf3aa8648d37c2f94277c33bfbc8db64
Author: Nick Mathewson <nickm@torproject.org>
Date: Tue, 27 Jun 2017 11:04:44 -0400
Merge branch 'maint-0.2.6' into maint-0.2.7-redux
Diffstat:
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/changes/bug22737 b/changes/bug22737
@@ -0,0 +1,12 @@
+ o Minor bugfixes (defensive programming, undefined behavior):
+
+ - Fix a memset() off the end of an array when packing cells. This
+ bug should be harmless in practice, since the corrupted bytes
+ are still in the same structure, and are always padding bytes,
+ ignored, or immediately overwritten, depending on compiler
+ behavior. Nevertheless, because the memset()'s purpose is to
+ make sure that any other cell-handling bugs can't expose bytes
+ to the network, we need to fix it. Fixes bug 22737; bugfix on
+ 0.2.4.11-alpha. Fixes CID 1401591.
+
+
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
@@ -430,9 +430,11 @@ cell_pack(packed_cell_t *dst, const cell_t *src, int wide_circ_ids)
set_uint32(dest, htonl(src->circ_id));
dest += 4;
} else {
+ /* Clear the last two bytes of dest, in case we can accidentally
+ * send them to the network somehow. */
+ memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2);
set_uint16(dest, htons(src->circ_id));
dest += 2;
- memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); /*make sure it's clear */
}
set_uint8(dest, src->command);
memcpy(dest+1, src->payload, CELL_PAYLOAD_SIZE);
