Fix a crash bug in max_u16_in_sl()

The documentation for this function says that the smartlist can contain NULLs, but the code only handled NULLs if they were at the start of the list. We didn't notice this for a long time, because when Tor is run normally, the sequence of msg_id_t is densely packed, and so this list (mapping msg_id_t to channel_id_t) contains no NULL elements. We could only run into this bug: * when Tor was running in embedded mode, and starting more than once. * when Tor ran first with more pubsub messages enabled, and then later with fewer. * When the second run (the one with fewer enabled pubsub messages) had at least some messages enabled, and those messages were not the ones with numerically highest msg_id_t values. Fixes bug 31898; bugfix on 47de9c7b in 0.4.1.1-alpha.

Fix a crash bug in max_u16_in_sl()
2b825a1a · Nick Mathewson · 34bbdaf5 · 2b825a1a · 2b825a1a
Commit 2b825a1a authored 5 years ago by Nick Mathewson
--- a/changes/bug31898
+++ b/changes/bug31898
+  o Major bugfixes (embedded Tor):
+    - Avoid a possible crash when restarting Tor in embedded mode and
+      enabling a different set of publish/subscribe messages. Fixes bug
+      31898; bugfix on 0.4.1.1-alpha.
--- a/src/lib/dispatch/dispatch_new.c
+++ b/src/lib/dispatch/dispatch_new.c
@@ -34,7 +34,7 @@ max_in_u16_sl(const smartlist_t *sl, int dflt)
  SMARTLIST_FOREACH_BEGIN(sl, uint16_t *, u) {
    if (!maxptr)
      maxptr = u;
-    else if (*u > *maxptr)
+    else if (u && *u > *maxptr)
      maxptr = u;
  } SMARTLIST_FOREACH_END(u);