Fix double-free bug in microdesc parser

author cypherpunks <writecode@127.0.0.1>

Wed, 27 Apr 2011 18:10:56 +0000 (11:10 -0700)

committer Nick Mathewson <nickm@torproject.org>

Wed, 27 Apr 2011 19:15:32 +0000 (15:15 -0400)
author cypherpunks <writecode@127.0.0.1>
Wed, 27 Apr 2011 18:10:56 +0000 (11:10 -0700)
committer Nick Mathewson <nickm@torproject.org>
Wed, 27 Apr 2011 19:15:32 +0000 (15:15 -0400)
diff --git a/changes/microdesc-double-free b/changes/microdesc-double-free

new file mode 100644 (file)

index 0000000..932cc75
--- /dev/null
+++ b/changes/microdesc-double-free
@@ -0,0 +1,7 @@
+  o Security fixes:
+    - Don't double-free a parsable, but invalid, microdescriptor, even
+      if it is followed in the blob we're parsing by an unparsable
+      microdescriptor.  Fixes an issue reported in a comment on bug 2954.
+      Bugfix on 0.2.2.6-alpha; fix by "cypherpunks".
+
+
diff --git a/src/or/routerparse.c b/src/or/routerparse.c

index ba29f056f17f96c003c5a88fea10da8aac6d675e..d0138e638bc2f56ad7512f2aeaa9fa4b75495182 100644 (file)
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -4357,6 +4357,7 @@ microdescs_parse_from_string(const char *s, const char *eos,
      md = NULL;
    next:
      microdesc_free(md);
+    md = NULL;
  
      memarea_clear(area);
      smartlist_clear(tokens);
author	cypherpunks <writecode@127.0.0.1>
	Wed, 27 Apr 2011 18:10:56 +0000 (11:10 -0700)
committer	Nick Mathewson <nickm@torproject.org>
	Wed, 27 Apr 2011 19:15:32 +0000 (15:15 -0400)
changes/microdesc-double-free	[new file with mode: 0644]	patch \| blob
src/or/routerparse.c		patch \| blob \| blame \| history