git.ipfire.org Git - thirdparty/tor.git/commit

author	Nick Mathewson <nickm@torproject.org>
	Wed, 11 Dec 2013 19:45:48 +0000 (14:45 -0500)
committer	Nick Mathewson <nickm@torproject.org>
	Tue, 8 Apr 2014 02:56:42 +0000 (22:56 -0400)
commit	092ac26ea28c17d13bd1d01cab9b3dec276c4dbc
tree	9573b72014a578d214410e82997a4d52976dd6fa	tree \| snapshot
parent	59f50c80d443a7e148f85cfed493e3e703cc4386	commit \| diff

Fix undefined behavior with pointer addition in channeltls.c

In C, it's a bad idea to do this:

   char *cp = array;
   char *end = array + array_len;

   /* .... */

   if (cp + 3 >= end) { /* out of bounds */ }

because cp+3 might be more than one off the end of the array, and
you are only allowed to construct pointers to the array elements,
and to an element one past the end.  Instead you have to say

   if (cp - array + 3 >= array_len) { /* ... */ }

or something like that.

This patch fixes two of these: one in process_versions_cell
introduced in 0.2.0.10-alpha, and one in process_certs_cell
introduced in 0.2.3.6-alpha.  These are both tracked under bug
10363. "bobnomnom" found and reported both. See also 10313.

In our code, this is likely to be a problem as we used it only if we
get a nasty allocator that makes allocations end close to (void*)-1.
But it's best not to have to worry about such things at all, so
let's just fix all of these we can find.

changes/bug10363	[new file with mode: 0644]	blob
src/or/channeltls.c		diff \| blob \| blame \| history