[tor-commits] [tor/release-0.2.3] Stop leaking memory in error cases of md parsing

nickm at torproject.org nickm at torproject.org
Sun Oct 19 18:35:48 UTC 2014


commit 65575b0755f64d21d59532bf58e6c27e14086bbb
Author: Nick Mathewson <nickm at torproject.org>
Date:   Sat Apr 26 12:45:34 2014 -0400

    Stop leaking memory in error cases of md parsing
    
    When clearing a list of tokens, it's important to do token_clear()
    on them first, or else any keys they contain will leak.  This didn't
    leak memory on any of the successful microdescriptor parsing paths,
    but it does leak on some failing paths when the failure happens
    during tokenization.
    
    Fixes bug 11618; bugfix on 0.2.2.6-alpha.
---
 changes/md_leak_bug  |    5 +++++
 src/or/routerparse.c |    2 ++
 2 files changed, 7 insertions(+)

diff --git a/changes/md_leak_bug b/changes/md_leak_bug
new file mode 100644
index 0000000..26270aa
--- /dev/null
+++ b/changes/md_leak_bug
@@ -0,0 +1,5 @@
+  o Major bugfixes (security, OOM)
+    - Fix a memory leak that could occur if a microdescriptor parse
+      fails during the tokenizing step. This could enable a memory
+      exhaustion attack by directory servers. Fixes bug #11649; bugfix
+      on 0.2.2.6-alpha.
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 97e0bc8..3ff887c 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -4455,11 +4455,13 @@ microdescs_parse_from_string(const char *s, const char *eos,
     microdesc_free(md);
     md = NULL;
 
+    SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
     memarea_clear(area);
     smartlist_clear(tokens);
     s = start_of_next_microdesc;
   }
 
+  SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
   memarea_drop_all(area);
   smartlist_free(tokens);
 





More information about the tor-commits mailing list