Commit 86819229 authored by Nick Mathewson's avatar Nick Mathewson 🎨
Browse files

Limit the number of elements in a consdiff hash line.

This avoids performing and then freeing a lot of small mallocs() if
the hash line has too many elements.

Fixes one case of bug 40472; resolves OSS-Fuzz 38363.  Bugfix on
0.3.1.1-alpha when the consdiff parsing code was introduced.
parent 4a246734
o Minor bugfixes (performance, DoS):
- Fix one case of a not-especially viable denial-of-service attack found
by OSS-Fuzz in our consensus-diff parsing code. This attack causes a
lot small of memory allocations and then immediately frees them: this
is only slow when running with all the sanitizers enabled. Fixes one
case of bug 40472; bugfix on 0.3.1.1-alpha.
......@@ -1126,7 +1126,7 @@ consdiff_get_digests(const smartlist_t *diff,
{
const cdline_t *line2 = smartlist_get(diff, 1);
char *h = tor_memdup_nulterm(line2->s, line2->len);
smartlist_split_string(hash_words, h, " ", 0, 0);
smartlist_split_string(hash_words, h, " ", 0, 4);
tor_free(h);
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment