Limit the number of elements in a consdiff hash line.

This avoids performing and then freeing a lot of small mallocs() if
the hash line has too many elements.

Fixes one case of bug 40472; resolves OSS-Fuzz 38363.  Bugfix on
0.3.1.1-alpha when the consdiff parsing code was introduced.

diff --git a/changes/bug40472 b/changes/bug40472
new file mode 100644 (file)
index 0000000..d87c1dc
--- /dev/null
+++ b/changes/bug40472
@@ -0,0 +1,6 @@
+  o Minor bugfixes (performance, DoS):
+    - Fix one case of a not-especially viable denial-of-service attack found
+      by OSS-Fuzz in our consensus-diff parsing code. This attack causes a
+      lot small of memory allocations and then immediately frees them: this
+      is only slow when running with all the sanitizers enabled.  Fixes one
+      case of bug 40472; bugfix on 0.3.1.1-alpha.

diff --git a/src/feature/dircommon/consdiff.c b/src/feature/dircommon/consdiff.c
index d0f7594ce3fab84d96d9e8ca045ca1f0e7bb41ed..3c38e92dd60dbe784410f586ed6af37ed8d0607d 100644 (file)
--- a/src/feature/dircommon/consdiff.c
+++ b/src/feature/dircommon/consdiff.c
@@ -1126,7 +1126,7 @@ consdiff_get_digests(const smartlist_t *diff,
   {
     const cdline_t *line2 = smartlist_get(diff, 1);
     char *h = tor_memdup_nulterm(line2->s, line2->len);
-    smartlist_split_string(hash_words, h, " ", 0, 0);
+    smartlist_split_string(hash_words, h, " ", 0, 4);
     tor_free(h);
   }