smartlist_bsearch_idx() is broken for short lists
this is a possible bug I was discussing with Nick. He is pretty busy these days, so a third set of eyes could be useful:
hi fwiw smartlist_bsearch_idx() seems a bit sloppy it doesn't handle the case where the sl is empty (smartlist_len(sl)
- 1, underflows) and if sl has one element, there is still the danger of underflowing 'hi = mid-1;'. from what I see, the function is only used with smartlist carrying the whole routerlist, so it's "safe" till tor has only one relay. ...at which point we've got other problems, yeah. still a good idea to fix it hang on it's used in smartlist_bsearch, which is used in other places too i think smartlist_bsearch() is also only used with the whole routerlist. you mean networkstatus the routerlist is the list of routerinfo_t we know there are enough places where it's used that I think we should have more eyes looking at it before we accidentally 0day ourselves. I'll look through the code by thursday; you can also ask athena on #tor-internal if you like btw, the interface of smartlist_bsearch_idx() doesn't allow particularly elegant error handling :(
--- end quote ---
This function is broken for lists of length zero or one and doesn't check the pointer arguments for nullness properly.