Fix possible UB in an end-of-string check in get_next_token().

Remember, you can't check to see if there are N bytes left in a buffer by doing (buf + N < end), since the buf + N computation might take you off the end of the buffer and result in undefined behavior. Fixes 28202; bugfix on 0.2.0.3-alpha.

Fix possible UB in an end-of-string check in get_next_token().
368413a3 · Nick Mathewson · 5b28190c · 368413a3 · 368413a3
Commit 368413a3 authored 6 years ago by Nick Mathewson
--- a/changes/bug28202
+++ b/changes/bug28202
+  o Minor bugfixes (C correctness):
+    - Avoid undefined behavior in an end-of-string check when parsing the
+      BEGIN line in a directory object.  Fixes bug 28202; bugfix on
+      0.2.0.3-alpha.
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -4964,7 +4964,7 @@ get_next_token(memarea_t *area,
    goto check_object;

  obstart = *s; /* Set obstart to start of object spec */
-  if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
+  if (eol - *s <= 16 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
      strcmp_len(eol-5, "-----", 5) ||           /* nuls or invalid endings */
      (eol-*s) > MAX_UNPARSED_OBJECT_SIZE) {     /* name too long */
    RET_ERR("Malformed object: bad begin line");