commit 368413a321a65234c0256c4ea80c613207cf7587 Author: Nick Mathewson nickm@torproject.org Date: Thu Oct 25 09:06:13 2018 -0400

Fix possible UB in an end-of-string check in get_next_token().

Remember, you can't check to see if there are N bytes left in a buffer by doing (buf + N < end), since the buf + N computation might take you off the end of the buffer and result in undefined behavior.

Fixes 28202; bugfix on 0.2.0.3-alpha. --- changes/bug28202 | 4 ++++ src/or/routerparse.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/changes/bug28202 b/changes/bug28202 new file mode 100644 index 000000000..182daac4f --- /dev/null +++ b/changes/bug28202 @@ -0,0 +1,4 @@ + o Minor bugfixes (C correctness): + - Avoid undefined behavior in an end-of-string check when parsing the + BEGIN line in a directory object. Fixes bug 28202; bugfix on + 0.2.0.3-alpha. diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 521e237be..063cbbcda 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4964,7 +4964,7 @@ get_next_token(memarea_t *area, goto check_object;

obstart = *s; /* Set obstart to start of object spec */ - if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */ + if (eol - *s <= 16 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */ strcmp_len(eol-5, "-----", 5) || /* nuls or invalid endings */ (eol-*s) > MAX_UNPARSED_OBJECT_SIZE) { /* name too long */ RET_ERR("Malformed object: bad begin line");