Avoid out-of-bounds smartlist access in protover_compute_vote()

and contract_protocol_list()

diff --git a/changes/bug26196 b/changes/bug26196
new file mode 100644 (file)
index 0000000..47fcffa
--- /dev/null
+++ b/changes/bug26196
@@ -0,0 +1,4 @@
+  o Minor bugfixes (hardening):
+    - Prevent a possible out-of-bounds smartlist read in
+      protover_compute_vote(). Fixes bug 26196; bugfix on
+      0.2.9.4-alpha.

diff --git a/src/or/protover.c b/src/or/protover.c
index 0c79037f688106d5aab9e8d09c670cc7ec08406e..31ca13fe61246e269fc859e9bc62dc55e08ad81c 100644 (file)
--- a/src/or/protover.c
+++ b/src/or/protover.c
@@ -453,6 +453,10 @@ cmp_single_ent_by_version(const void **a_, const void **b_)
 static char *
 contract_protocol_list(const smartlist_t *proto_strings)
 {
+  if (smartlist_len(proto_strings) == 0) {
+    return tor_strdup("");
+  }
+
   // map from name to list of single-version entries
   strmap_t *entry_lists_by_name = strmap_new();
   // list of protocol names
@@ -561,6 +565,10 @@ char *
 protover_compute_vote(const smartlist_t *list_of_proto_strings,
                       int threshold)
 {
+  if (smartlist_len(list_of_proto_strings) == 0) {
+    return tor_strdup("");
+  }
+
   smartlist_t *all_entries = smartlist_new();
 
   // First, parse the inputs and break them into singleton entries.
@@ -587,6 +595,11 @@ protover_compute_vote(const smartlist_t *list_of_proto_strings,
     smartlist_free(unexpanded);
   } SMARTLIST_FOREACH_END(vote);
 
+  if (smartlist_len(all_entries) == 0) {
+    smartlist_free(all_entries);
+    return tor_strdup("");
+  }
+
   // Now sort the singleton entries
   smartlist_sort_strings(all_entries);