lookup_last_hid_serv_request() could overflow and leak memory

The problem was that we didn't allocate enough memory on 32-bit
platforms with 64-bit time_t. The memory leak occured every time
we fetched a hidden service descriptor we've fetched before.

diff --git a/ChangeLog b/ChangeLog
index 592c39f8a9624119725f5219f7693b3c7e554b05..973f69b36ba9e5b7125ad742346b83cb749f039e 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,13 @@ Changes in version 0.2.1.23 - 2010-0?-??
       automatically discard guards picked using the old algorithm. Fixes
       bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
 
+  o Major bugfixes:
+    - Fix a potential buffer overflow in lookup_last_hid_serv_request()
+     that could happen on 32-bit platforms with 64-bit time_t. Also fix
+     a memory leak when requesting a hidden service descriptor we've
+     requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found
+     by aakova.
+
   o Minor bugfixes:
     - When deciding whether to use strange flags to turn TLS renegotiation
       on, detect the OpenSSL version at run-time, not compile time.  We

diff --git a/src/or/rendclient.c b/src/or/rendclient.c
index 47a8818a503d3268781ab2c9467dd31bd5c4e1f4..e252174b480a8ee142b3fb56860fe2cc0fa597d3 100644 (file)
--- a/src/or/rendclient.c
+++ b/src/or/rendclient.c
@@ -354,9 +354,12 @@ lookup_last_hid_serv_request(routerstatus_t *hs_dir,
   tor_snprintf(hsdir_desc_comb_id, sizeof(hsdir_desc_comb_id), "%s%s",
                hsdir_id_base32, desc_id_base32);
   if (set) {
-    last_request_ptr = tor_malloc_zero(sizeof(time_t *));
+    time_t *oldptr;
+    last_request_ptr = tor_malloc_zero(sizeof(time_t));
     *last_request_ptr = now;
-    strmap_set(last_hid_serv_requests, hsdir_desc_comb_id, last_request_ptr);
+    oldptr = strmap_set(last_hid_serv_requests, hsdir_desc_comb_id,
+                        last_request_ptr);
+    tor_free(oldptr);
   } else
     last_request_ptr = strmap_get_lc(last_hid_serv_requests,
                                      hsdir_desc_comb_id);