tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit c239b2fc9c19d7c146888b534a8b51a88df03326
parent 2cd49d9ea6f8bad20215ad17d5057a8eea8e39e8
Author: Alexander Færøy <ahf@0x90.dk>
Date:   Wed, 28 Jun 2017 09:57:58 -0400

Fix crash in LZMA module when the Sandbox is enabled.

This patch fixes a crash in our LZMA module where liblzma will allocate
slightly more data than it is allowed to by its limit, which leads to a
crash.

See: https://bugs.torproject.org/22751

Diffstat:

Achanges/bug22751 | 5+++++


Msrc/common/sandbox.c | 10++++++++--


2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/changes/bug22751 b/changes/bug22751
@@ -0,0 +1,5 @@
+  o Major bugfixes (compression):
+    - Fix crash in LZMA module, when the Sandbox is enabled, where
+      liblzma would allocate more than 16 MB of memory.  We solve this
+      by bumping the mprotect() limit in the Sandbox module from 16 MB
+      to 20 MB.  Fixes bug 22751; bugfix on 0.3.1.1-alpha.
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
@@ -19,8 +19,14 @@
 #define _LARGEFILE64_SOURCE
 #endif
 
-/** Malloc mprotect limit in bytes. */
-#define MALLOC_MP_LIM (16*1024*1024)
+/** Malloc mprotect limit in bytes.
+ *
+ * 28/06/2017: This value was increased from 16 MB to 20 MB after we introduced
+ * LZMA support in Tor (0.3.1.1-alpha). We limit our LZMA coder to 16 MB, but
+ * liblzma have a small overhead that we need to compensate for to avoid being
+ * killed by the sandbox.
+ */
+#define MALLOC_MP_LIM (20*1024*1024)
 
 #include <stdio.h>
 #include <string.h>