Stop leaking memory in error cases of md parsing

When clearing a list of tokens, it's important to do token_clear()
on them first, or else any keys they contain will leak.  This didn't
leak memory on any of the successful microdescriptor parsing paths,
but it does leak on some failing paths when the failure happens
during tokenization.

Fixes bug 11618; bugfix on 0.2.2.6-alpha.

diff --git a/changes/md_leak_bug b/changes/md_leak_bug
new file mode 100644 (file)
index 0000000..26270aa
--- /dev/null
+++ b/changes/md_leak_bug
@@ -0,0 +1,5 @@
+  o Major bugfixes (security, OOM)
+    - Fix a memory leak that could occur if a microdescriptor parse
+      fails during the tokenizing step. This could enable a memory
+      exhaustion attack by directory servers. Fixes bug #11649; bugfix
+      on 0.2.2.6-alpha.

diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 97e0bc8c85434cfea95f637080f6a8dc311b72c2..3ff887c3ca0c00b0c83f2b7b258e9d6bdc5854f6 100644 (file)
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -4455,11 +4455,13 @@ microdescs_parse_from_string(const char *s, const char *eos,
     microdesc_free(md);
     md = NULL;
 
+    SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
     memarea_clear(area);
     smartlist_clear(tokens);
     s = start_of_next_microdesc;
   }
 
+  SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
   memarea_drop_all(area);
   smartlist_free(tokens);