GitLab

Per asn:

---begin quote---

Hi Andrea,

this is a possible bug I was discussing with Nick. He is pretty busy these days, so a third set of eyes could be useful:

hi fwiw smartlist_bsearch_idx() seems a bit sloppy it doesn't handle the case where the sl is empty (smartlist_len(sl)

• 1, underflows) and if sl has one element, there is still the danger of underflowing 'hi = mid-1;'. from what I see, the function is only used with smartlist carrying the whole routerlist, so it's "safe" till tor has only one relay. ...at which point we've got other problems, yeah. still a good idea to fix it hang on it's used in smartlist_bsearch, which is used in other places too i think smartlist_bsearch() is also only used with the whole routerlist. you mean networkstatus the routerlist is the list of routerinfo_t we know there are enough places where it's used that I think we should have more eyes looking at it before we accidentally 0day ourselves. I'll look through the code by thursday; you can also ask athena on #tor-internal if you like btw, the interface of smartlist_bsearch_idx() doesn't allow particularly elegant error handling :(

--- end quote ---

This function is broken for lists of length zero or one and doesn't check the pointer arguments for nullness properly.