diff options
| author | Nick Mathewson <nickm@torproject.org> | 2011-01-13 14:36:41 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2011-01-15 11:49:25 -0500 |
| commit | 115782bdbe42e4b3d5cb386d2939a883bc381d12 (patch) | |
| tree | facebd78bfcd426d3404999e5237c502fb34ebaa /src/or/rendcommon.c | |
| parent | a16902b9d4b0a912eb0a252bb945cbeaaa40dacb (diff) | |
| download | tor-115782bdbe42e4b3d5cb386d2939a883bc381d12.tar tor-115782bdbe42e4b3d5cb386d2939a883bc381d12.tar.gz | |
Fix a heap overflow found by debuger, and make it harder to make that mistake again
Our public key functions assumed that they were always writing into a
large enough buffer. In one case, they weren't.
(Incorporates fixes from sebastian)
Diffstat (limited to 'src/or/rendcommon.c')
| -rw-r--r-- | src/or/rendcommon.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c index 1d96f3daf..d6f544381 100644 --- a/src/or/rendcommon.c +++ b/src/or/rendcommon.c @@ -700,7 +700,9 @@ rend_encode_service_descriptor(rend_service_descriptor_t *desc, cp += ipoint_len+1; } note_crypto_pk_op(REND_SERVER); - r = crypto_pk_private_sign_digest(key, cp, *str_out, cp-*str_out); + r = crypto_pk_private_sign_digest(key, + cp, buflen - (cp - *str_out), + *str_out, cp-*str_out); if (r<0) { tor_free(*str_out); return -1; |