This is a fix for bug 8844, where eugenis correctly notes that there's
a sentinel value at the end of the list-of-freelists that's never
actually checked. It's a bug since the first version of the chunked
buffer code back in 0.2.0.16-alpha.
This would probably be a crash bug if it ever happens, but nobody's
ever reported something like this, so I'm unsure whether it can occur.
It would require write_to_buf, write_to_buf_zlib, read_to_buf, or
read_to_buf_tls to get an input size of more than 32K. Still, it's a
good idea to fix this kind of thing!
--- /dev/null
+ o Major bugfixes:
+ - Prevent the get_freelists() function from running off the end of
+ the list of freelists if it somehow gets an unrecognized
+ allocation. Fixes bug 8844; bugfix on 0.2.0.16-alpha. Reported by
+ eugenis.
+
get_freelist(size_t alloc)
{
int i;
- for (i=0; freelists[i].alloc_size <= alloc; ++i) {
+ for (i=0; (freelists[i].alloc_size <= alloc &&
+ freelists[i].alloc_size); ++i ) {
if (freelists[i].alloc_size == alloc) {
return &freelists[i];
}
buf_free(buf);
buf = NULL;
+ /* Try adding a string too long for any freelist. */
+ {
+ char *cp = tor_malloc_zero(65536);
+ buf = buf_new();
+ write_to_buf(cp, 65536, buf);
+ tor_free(cp);
+
+ tt_int_op(buf_datalen(buf), ==, 65536);
+ buf_free(buf);
+ buf = NULL;
+ }
+
done:
if (buf)
buf_free(buf);
projects / thirdparty / tor.git / commitdiff
