Loading changes/memarea_overflow 0 → 100644 +7 −0 Original line number Diff line number Diff line o Minor bugfixes (pointer arithmetic): - Fix a bug in memarea_alloc() that could have resulted in remote heap write access, if Tor had ever passed an unchecked size to memarea_alloc(). Fortunately, all the sizes we pass to memarea_alloc() are pre-checked to be less than 128 kilobytes. Fixes bug 19150; bugfix on 0.2.1.1-alpha. Bug found by Guido Vranken. src/common/memarea.c +5 −3 Original line number Diff line number Diff line Loading @@ -83,8 +83,7 @@ typedef struct memarea_chunk_t { struct memarea_chunk_t *next_chunk; size_t mem_size; /**< How much RAM is available in mem, total? */ char *next_mem; /**< Next position in mem to allocate data at. If it's * greater than or equal to mem+mem_size, this chunk is * full. */ * equal to mem+mem_size, this chunk is full. */ #ifdef USE_ALIGNED_ATTRIBUTE /** Actual content of the memory chunk. */ char mem[FLEXIBLE_ARRAY_MEMBER] __attribute__((aligned(MEMAREA_ALIGN))); Loading Loading @@ -205,7 +204,10 @@ memarea_alloc(memarea_t *area, size_t sz) tor_assert(sz < SIZE_T_CEILING); if (sz == 0) sz = 1; if (chunk->next_mem+sz > chunk->U_MEM+chunk->mem_size) { tor_assert(chunk->next_mem <= chunk->U_MEM + chunk->mem_size); const size_t space_remaining = (chunk->U_MEM + chunk->mem_size) - chunk->next_mem; if (sz > space_remaining) { if (sz+CHUNK_HEADER_SIZE >= CHUNK_SIZE) { /* This allocation is too big. Stick it in a special chunk, and put * that chunk second in the list. */ Loading Loading
changes/memarea_overflow 0 → 100644 +7 −0 Original line number Diff line number Diff line o Minor bugfixes (pointer arithmetic): - Fix a bug in memarea_alloc() that could have resulted in remote heap write access, if Tor had ever passed an unchecked size to memarea_alloc(). Fortunately, all the sizes we pass to memarea_alloc() are pre-checked to be less than 128 kilobytes. Fixes bug 19150; bugfix on 0.2.1.1-alpha. Bug found by Guido Vranken.
src/common/memarea.c +5 −3 Original line number Diff line number Diff line Loading @@ -83,8 +83,7 @@ typedef struct memarea_chunk_t { struct memarea_chunk_t *next_chunk; size_t mem_size; /**< How much RAM is available in mem, total? */ char *next_mem; /**< Next position in mem to allocate data at. If it's * greater than or equal to mem+mem_size, this chunk is * full. */ * equal to mem+mem_size, this chunk is full. */ #ifdef USE_ALIGNED_ATTRIBUTE /** Actual content of the memory chunk. */ char mem[FLEXIBLE_ARRAY_MEMBER] __attribute__((aligned(MEMAREA_ALIGN))); Loading Loading @@ -205,7 +204,10 @@ memarea_alloc(memarea_t *area, size_t sz) tor_assert(sz < SIZE_T_CEILING); if (sz == 0) sz = 1; if (chunk->next_mem+sz > chunk->U_MEM+chunk->mem_size) { tor_assert(chunk->next_mem <= chunk->U_MEM + chunk->mem_size); const size_t space_remaining = (chunk->U_MEM + chunk->mem_size) - chunk->next_mem; if (sz > space_remaining) { if (sz+CHUNK_HEADER_SIZE >= CHUNK_SIZE) { /* This allocation is too big. Stick it in a special chunk, and put * that chunk second in the list. */ Loading
