[or-cvs] bugfixes: smartlist_join_strings2() was underflowing a size_t
arma at seul.org
arma at seul.org
Mon Jul 18 23:11:48 UTC 2005
Update of /home2/or/cvsroot/tor/src/common
In directory moria:/home/arma/work/onion/cvs/tor/src/common
Modified Files:
container.c
Log Message:
bugfixes: smartlist_join_strings2() was underflowing a size_t
if you gave it an empty smartlist; and it wasn't terminating in
this case even if you asked it to.
this does not appear to be exploitable in any reasonable cases.
Index: container.c
===================================================================
RCS file: /home2/or/cvsroot/tor/src/common/container.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -d -r1.28 -r1.29
--- container.c 11 Jun 2005 05:31:15 -0000 1.28
+++ container.c 18 Jul 2005 23:11:46 -0000 1.29
@@ -357,6 +357,10 @@
tor_assert(sl);
tor_assert(join);
+
+ if (sl->num_used == 0)
+ n = join_len; /* special-case this one, to avoid underflow */
+
for (i = 0; i < sl->num_used; ++i) {
n += strlen(sl->list[i]);
n += join_len;
@@ -371,6 +375,11 @@
dst += join_len;
}
}
+ if (sl->num_used == 0 && terminate) {
+ /* another special case for length == 0 */
+ memcpy(dst, join, join_len);
+ dst += join_len;
+ }
*dst = '\0';
if (len_out)
More information about the tor-commits
mailing list