[tor-commits] [tor/main] Limit the number of elements in a consdiff hash line.
ahf at torproject.org
ahf at torproject.org
Wed Dec 15 12:38:50 UTC 2021
commit 86819229afde13ae8466ee782f4c4bd9ba6f37cd
Author: Nick Mathewson <nickm at torproject.org>
Date: Mon Dec 6 12:35:08 2021 -0500
Limit the number of elements in a consdiff hash line.
This avoids performing and then freeing a lot of small mallocs() if
the hash line has too many elements.
Fixes one case of bug 40472; resolves OSS-Fuzz 38363. Bugfix on
0.3.1.1-alpha when the consdiff parsing code was introduced.
---
changes/bug40472 | 6 ++++++
src/feature/dircommon/consdiff.c | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/changes/bug40472 b/changes/bug40472
new file mode 100644
index 0000000000..d87c1dc2cc
--- /dev/null
+++ b/changes/bug40472
@@ -0,0 +1,6 @@
+ o Minor bugfixes (performance, DoS):
+ - Fix one case of a not-especially viable denial-of-service attack found
+ by OSS-Fuzz in our consensus-diff parsing code. This attack causes a
+ lot small of memory allocations and then immediately frees them: this
+ is only slow when running with all the sanitizers enabled. Fixes one
+ case of bug 40472; bugfix on 0.3.1.1-alpha.
diff --git a/src/feature/dircommon/consdiff.c b/src/feature/dircommon/consdiff.c
index d0f7594ce3..3c38e92dd6 100644
--- a/src/feature/dircommon/consdiff.c
+++ b/src/feature/dircommon/consdiff.c
@@ -1126,7 +1126,7 @@ consdiff_get_digests(const smartlist_t *diff,
{
const cdline_t *line2 = smartlist_get(diff, 1);
char *h = tor_memdup_nulterm(line2->s, line2->len);
- smartlist_split_string(hash_words, h, " ", 0, 0);
+ smartlist_split_string(hash_words, h, " ", 0, 4);
tor_free(h);
}
More information about the tor-commits
mailing list