[tor-bugs] #11737 [Tor]: Damage of cached hte_hash values for HTs leads to undefined behavior
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jan 28 23:07:26 UTC 2015
#11737: Damage of cached hte_hash values for HTs leads to undefined behavior
-------------------------+-------------------------------------------------
Reporter: | Owner:
cypherpunks | Status: needs_review
Type: defect | Milestone: Tor: 0.2.6.x-final
Priority: normal | Version:
Component: Tor | Keywords: tor-relay, 026-triaged-1,
Resolution: | 026-deferrable, nickm-patch
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Comment (by sysrqb):
these sanity checks seem sane. Also, since you created HT_BUCKET_NUM_, if
I'm not mistaken, you can use it again in _HT_NEXT() and _HT_REP_IS_BAD_()
- it'll make the functions slightly more readable, I think.
otherwise, lgtm. (leaving in needs_review so others will still look at
it).
{{{
diff --git a/src/ext/ht.h b/src/ext/ht.h
index ee64e55..481e8f1 100644
--- a/src/ext/ht.h
+++ b/src/ext/ht.h
@@ -287,8 +287,7 @@ ht_string_hash(const char *s)
HT_BUCKET_NUM_(head,field,(*elm)->field.hte_next,hashfn)); \
return &(*elm)->field.hte_next; \
} else { \
- unsigned b = (HT_ELT_HASH_(*elm, field, hashfn) \
- % head->hth_table_length)+1; \
+ unsigned b = HT_BUCKET_NUM_(head,field,*elm,hashfn)+1; \
while (b < head->hth_table_length) { \
if (head->hth_table[b]) { \
HT_ASSERT_(b == \
@@ -434,7 +433,7 @@ ht_string_hash(const char *s)
for (elm = head->hth_table[i]; elm; elm = elm->field.hte_next) { \
if (HT_ELT_HASH_(elm, field, hashfn) != hashfn(elm)) \
return 1000 + i; \
- if ((HT_ELT_HASH_(elm, field, hashfn) % head->hth_table_length)
!= i) \
+ if (HT_BUCKET_NUM_(head,field,elm,hashfn) != i) \
return 10000 + i; \
++n; \
} \
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11737#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list