conflux: Fix wrong sizeof() type

author David Goulet <dgoulet@torproject.org>

Thu, 19 Mar 2026 14:23:39 +0000 (10:23 -0400)

committer David Goulet <dgoulet@torproject.org>

Wed, 25 Mar 2026 13:38:37 +0000 (09:38 -0400)
author David Goulet <dgoulet@torproject.org>
Thu, 19 Mar 2026 14:23:39 +0000 (10:23 -0400)
committer David Goulet <dgoulet@torproject.org>
Wed, 25 Mar 2026 13:38:37 +0000 (09:38 -0400)
diff --git a/changes/ticket41232 b/changes/ticket41232

new file mode 100644 (file)

index 0000000..4164e40
--- /dev/null
+++ b/changes/ticket41232
@@ -0,0 +1,4 @@
+  o Major bugfix (security, conflux):
+    - Fix a memory compare using the wrong length. This could lead to a remote
+      crash when using the conflux subsystem. TROVE-2026-004. Fixes bug 41232;
+      bugfix on 0.4.8.1-alpha.
diff --git a/src/core/or/conflux_pool.c b/src/core/or/conflux_pool.c

index efbb2d04e92acedec688b2c197b86a8d8619b10a..9ed3ad37db74ef0a2d22062085825390f4f6db06 100644 (file)
--- a/src/core/or/conflux_pool.c
+++ b/src/core/or/conflux_pool.c
@@ -1947,7 +1947,7 @@ conflux_process_linked(circuit_t *circ, crypt_path_t *layer_hint,
    /* Make sure the cell nonce matches the one on the circuit that was
     * previously set by the CONFLUX_LINK cell. */
    if (tor_memneq(link->nonce, circ->conflux_pending_nonce,
-                 sizeof(*link->nonce))) {
+                 sizeof(link->nonce))) {
      log_fn(LOG_PROTOCOL_WARN, LD_CIRC,
             "Received CONFLUX_LINKED but circuit nonce doesn't match "
             "cell nonce. Closing circuit.");
author	David Goulet <dgoulet@torproject.org>
	Thu, 19 Mar 2026 14:23:39 +0000 (10:23 -0400)
committer	David Goulet <dgoulet@torproject.org>
	Wed, 25 Mar 2026 13:38:37 +0000 (09:38 -0400)
changes/ticket41232	[new file with mode: 0644]	patch \| blob
src/core/or/conflux_pool.c		patch \| blob \| blame \| history