Limit the number of elements in a consdiff hash line.

This avoids performing and then freeing a lot of small mallocs() if the hash line has too many elements. Fixes one case of bug 40472; resolves OSS-Fuzz 38363. Bugfix on 0.3.1.1-alpha when the consdiff parsing code was introduced.

Limit the number of elements in a consdiff hash line.
86819229 · Nick Mathewson · 4a246734 · 86819229 · 86819229
Commit 86819229 authored 3 years ago by Nick Mathewson
--- a/changes/bug40472
+++ b/changes/bug40472
+  o Minor bugfixes (performance, DoS):
+    - Fix one case of a not-especially viable denial-of-service attack found
+      by OSS-Fuzz in our consensus-diff parsing code. This attack causes a
+      lot small of memory allocations and then immediately frees them: this
+      is only slow when running with all the sanitizers enabled.  Fixes one
+      case of bug 40472; bugfix on 0.3.1.1-alpha.
--- a/src/feature/dircommon/consdiff.c
+++ b/src/feature/dircommon/consdiff.c
@@ -1126,7 +1126,7 @@ consdiff_get_digests(const smartlist_t *diff,
  {
    const cdline_t *line2 = smartlist_get(diff, 1);
    char *h = tor_memdup_nulterm(line2->s, line2->len);
-    smartlist_split_string(hash_words, h, " ", 0, 0);
+    smartlist_split_string(hash_words, h, " ", 0, 4);
    tor_free(h);
  }