Loading changes/bug22737 0 → 100644 +12 −0 Original line number Diff line number Diff line o Minor bugfixes (defensive programming, undefined behavior): - Fix a memset() off the end of an array when packing cells. This bug should be harmless in practice, since the corrupted bytes are still in the same structure, and are always padding bytes, ignored, or immediately overwritten, depending on compiler behavior. Nevertheless, because the memset()'s purpose is to make sure that any other cell-handling bugs can't expose bytes to the network, we need to fix it. Fixes bug 22737; bugfix on 0.2.4.11-alpha. Fixes CID 1401591. src/or/connection_or.c +3 −1 Original line number Diff line number Diff line Loading @@ -419,9 +419,11 @@ cell_pack(packed_cell_t *dst, const cell_t *src, int wide_circ_ids) set_uint32(dest, htonl(src->circ_id)); dest += 4; } else { /* Clear the last two bytes of dest, in case we can accidentally * send them to the network somehow. */ memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); set_uint16(dest, htons(src->circ_id)); dest += 2; memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); /*make sure it's clear */ } set_uint8(dest, src->command); memcpy(dest+1, src->payload, CELL_PAYLOAD_SIZE); Loading Loading
changes/bug22737 0 → 100644 +12 −0 Original line number Diff line number Diff line o Minor bugfixes (defensive programming, undefined behavior): - Fix a memset() off the end of an array when packing cells. This bug should be harmless in practice, since the corrupted bytes are still in the same structure, and are always padding bytes, ignored, or immediately overwritten, depending on compiler behavior. Nevertheless, because the memset()'s purpose is to make sure that any other cell-handling bugs can't expose bytes to the network, we need to fix it. Fixes bug 22737; bugfix on 0.2.4.11-alpha. Fixes CID 1401591.
src/or/connection_or.c +3 −1 Original line number Diff line number Diff line Loading @@ -419,9 +419,11 @@ cell_pack(packed_cell_t *dst, const cell_t *src, int wide_circ_ids) set_uint32(dest, htonl(src->circ_id)); dest += 4; } else { /* Clear the last two bytes of dest, in case we can accidentally * send them to the network somehow. */ memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); set_uint16(dest, htons(src->circ_id)); dest += 2; memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); /*make sure it's clear */ } set_uint8(dest, src->command); memcpy(dest+1, src->payload, CELL_PAYLOAD_SIZE); Loading
