From 43414eb98821d3b5c6c65181d7545ce938f82c8e Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Thu, 20 Jan 2011 11:17:57 -0800 Subject: [PATCH] Fix bounds-checking in policy_summarize Found by piebeer. --- changes/policy_summarize-assert | 6 ++++++ src/or/policies.c | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 changes/policy_summarize-assert diff --git a/changes/policy_summarize-assert b/changes/policy_summarize-assert new file mode 100644 index 0000000000..619e8e7e42 --- /dev/null +++ b/changes/policy_summarize-assert @@ -0,0 +1,6 @@ + o Major bugfixes (security) + - Fix a bounds-checking error that could allow an attacker to + remotely crash a directory authority. Found by piebeer. + Bugfix on 0.2.1.5-alpha. + + diff --git a/src/or/policies.c b/src/or/policies.c index d4b4a07c56..0a8fd7328e 100644 --- a/src/or/policies.c +++ b/src/or/policies.c @@ -1209,8 +1209,8 @@ policy_summarize(smartlist_t *policy) accepts_str = smartlist_join_strings(accepts, ",", 0, &accepts_len); rejects_str = smartlist_join_strings(rejects, ",", 0, &rejects_len); - if (rejects_len > MAX_EXITPOLICY_SUMMARY_LEN && - accepts_len > MAX_EXITPOLICY_SUMMARY_LEN) { + if (rejects_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("reject")-1 && + accepts_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("accept")-1) { char *c; shorter_str = accepts_str; prefix = "accept"; -- 2.11.4.GIT