[tor-commits] [tor/master] Fix use-after-free of stack memory in getinfo_helper_policies

nickm at torproject.org nickm at torproject.org
Fri Nov 27 17:11:55 UTC 2015


commit 3f83ea84c73e5066eaac87080322f13fc0c7ab91
Author: teor (Tim Wilson-Brown) <teor2345 at gmail.com>
Date:   Fri Nov 27 09:31:47 2015 +1100

    Fix use-after-free of stack memory in getinfo_helper_policies
---
 src/or/policies.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/or/policies.c b/src/or/policies.c
index a46eb96..126ba46 100644
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -2165,11 +2165,11 @@ getinfo_helper_policies(control_connection_t *conn,
     smartlist_t *private_policy_list = smartlist_new();
     smartlist_t *configured_addresses = smartlist_new();
 
-    /* Add the configured addresses to the tor_addr_t* list */
-    policies_add_ipv4h_to_smartlist(configured_addresses, me->addr);
-    policies_add_addr_to_smartlist(configured_addresses, &me->ipv6_addr);
-    policies_add_outbound_addresses_to_smartlist(configured_addresses,
-                                                 options);
+    /* Copy the configured addresses into the tor_addr_t* list */
+    policies_copy_ipv4h_to_smartlist(configured_addresses, me->addr);
+    policies_copy_addr_to_smartlist(configured_addresses, &me->ipv6_addr);
+    policies_copy_outbound_addresses_to_smartlist(configured_addresses,
+                                                  options);
 
     policies_parse_exit_policy_reject_private(
                                             &private_policy_list,
@@ -2179,7 +2179,7 @@ getinfo_helper_policies(control_connection_t *conn,
     *answer = policy_dump_to_string(private_policy_list, 1, 1);
 
     addr_policy_list_free(private_policy_list);
-    /* the addresses in configured_addresses are not ours to free */
+    SMARTLIST_FOREACH(configured_addresses, tor_addr_t *, a, tor_free(a));
     smartlist_free(configured_addresses);
   } else if (!strcmpstart(question, "exit-policy/")) {
     const routerinfo_t *me = router_get_my_routerinfo();





More information about the tor-commits mailing list