Fix a memory leak when parsing a ns

Adding the same vote to a networkstatus consensus leads to a memory leak
on the client side. Fix that by only using the first vote from any given
voter, and ignoring the others.

Problem found by Rotor, who also helped writing the patch. Thanks!

diff --git a/ChangeLog b/ChangeLog
index 1da6a9719363a780ac951177b5a95df422a4419c..aabe9b4fbe287b3478ce7e9e29611211d72f5244 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,9 @@ Changes in version 0.2.1.20 - 2009-??-??
       patch. Bugfix on the 54th commit on Tor -- from July 2002,
       before the release of Tor 0.0.0. This is the new winner of the
       oldest-bug prize.
+    - Fix a remotely triggerable memory leak when a consensus document
+      contains more than one signature from the same voter. Bugfix on
+      0.2.0.3-alpha.
 
   o New directory authorities:
     - Set up urras (run by Jacob Appelbaum) as the seventh v3 directory

diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 97dd20f4e38ca54a85d6e12b29785428e6855df8..189458ee1e0f2f100de7560b962f5b21d6254c76 100644 (file)
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -2509,6 +2509,14 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out,
     } else {
       if (tok->object_size >= INT_MAX)
         goto err;
+      /* We already parsed a vote from this voter. Use the first one. */
+      if (v->signature) {
+        log_fn(LOG_PROTOCOL_WARN, LD_DIR, "We received a networkstatus "
+                   "that contains two votes from the same voter. Ignoring "
+                   "the second vote.");
+        continue;
+      }
+
       v->signature = tor_memdup(tok->object_body, tok->object_size);
       v->signature_len = (int) tok->object_size;
     }