Fix bounds-checking in policy_summarize

author Robert Ransom <rransom.8774@gmail.com>

Thu, 20 Jan 2011 19:17:57 +0000 (11:17 -0800)

committer Robert Ransom <rransom.8774@gmail.com>

Thu, 20 Jan 2011 19:17:57 +0000 (11:17 -0800)
author Robert Ransom <rransom.8774@gmail.com>
Thu, 20 Jan 2011 19:17:57 +0000 (11:17 -0800)
committer Robert Ransom <rransom.8774@gmail.com>
Thu, 20 Jan 2011 19:17:57 +0000 (11:17 -0800)
diff --git a/changes/policy_summarize-assert b/changes/policy_summarize-assert

new file mode 100644 (file)

index 0000000..619e8e7
--- /dev/null
+++ b/changes/policy_summarize-assert
@@ -0,0 +1,6 @@
+  o Major bugfixes (security)
+    - Fix a bounds-checking error that could allow an attacker to
+      remotely crash a directory authority.  Found by piebeer.
+      Bugfix on 0.2.1.5-alpha.
+
+
diff --git a/src/or/policies.c b/src/or/policies.c

index d4b4a07c56a541752728710ec3909f13757063a6..0a8fd7328eade38641fb1dd4822763259d0568da 100644 (file)
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -1209,8 +1209,8 @@ policy_summarize(smartlist_t *policy)
    accepts_str = smartlist_join_strings(accepts, ",", 0, &accepts_len);
    rejects_str = smartlist_join_strings(rejects, ",", 0, &rejects_len);
  
-  if (rejects_len > MAX_EXITPOLICY_SUMMARY_LEN &&
-      accepts_len > MAX_EXITPOLICY_SUMMARY_LEN) {
+  if (rejects_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("reject")-1 &&
+      accepts_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("accept")-1) {
      char *c;
      shorter_str = accepts_str;
      prefix = "accept";
author	Robert Ransom <rransom.8774@gmail.com>
	Thu, 20 Jan 2011 19:17:57 +0000 (11:17 -0800)
committer	Robert Ransom <rransom.8774@gmail.com>
	Thu, 20 Jan 2011 19:17:57 +0000 (11:17 -0800)
changes/policy_summarize-assert	[new file with mode: 0644]	patch \| blob
src/or/policies.c		patch \| blob \| blame \| history