From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 14 Dec 2005 02:19:27 +0000 (+0000)
Subject: Fix a potential memory stomp on servers running hidden services. Found by weasel... 
X-Git-Tag: tor-0.1.1.11-alpha~204
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4f3867032853f449c6f9241b016379cf84f3a269;p=thirdparty%2Ftor.git

Fix a potential memory stomp on servers running hidden services. Found by weasel with valgrind. Backport candidate.


svn:r5579
---

diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c
index c771a8d9de..4d1c83b0cf 100644
--- a/src/or/rendcommon.c
+++ b/src/or/rendcommon.c
@@ -56,7 +56,8 @@ rend_encode_service_descriptor(rend_service_descriptor_t *desc,
   char *end;
   int i;
   size_t asn1len;
-  cp = *str_out = tor_malloc(PK_BYTES*2*(desc->n_intro_points+2)); /*Too long, but ok*/
+  size_t buflen = PK_BYTES*2*(desc->n_intro_points+2);/*Too long, but ok*/
+  cp = *str_out = tor_malloc(buflen);
   end = cp + PK_BYTES*2*(desc->n_intro_points+1);
   if (version) {
     *(uint8_t*)cp = (uint8_t)0xff;
@@ -77,7 +78,7 @@ rend_encode_service_descriptor(rend_service_descriptor_t *desc,
   if (version == 0) {
     for (i=0; i < desc->n_intro_points; ++i) {
       char *ipoint = (char*)desc->intro_points[i];
-      strlcpy(cp, ipoint, *len_out-(cp-*str_out));
+      strlcpy(cp, ipoint, buflen-(cp-*str_out));
       cp += strlen(ipoint)+1;
     }
   } else {