mirrors/core-lightning
1
0
Fork 0
mirror of https://github.com/ElementsProject/lightning.git synced 2024-11-19 09:54:16 +01:00
Code Issues Projects Releases Wiki Activity

gossip: Fix a memcmp with unset memory in broadcast queue

Browse Source 
`tal_fmt` overallocates the returned string under some circumstances,
meaning that the trailer of the formatted string is unset, but still
considered in `tal_len`. The solution then is to truncate the
formatted string to the real string length. Only necessary here, since
we mix strings and `tal_len`.

Signed-off-by: Christian Decker <decker.christian@gmail.com>
This commit is contained in:
Christian Decker 2018-01-11 14:57:00 +01:00 committed by Rusty Russell
parent 4fe83cd405
commit 3a42e52bcd
2 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
gossipd/broadcast.c
View File

@ -1,3 +1,4 @@
#include <ccan/mem/mem.h>
#include <gossipd/broadcast.h>
struct broadcast_state *new_broadcast_state(tal_t *ctx)
@ -16,8 +17,8 @@ static struct queued_message *new_queued_message(tal_t *ctx,
{
struct queued_message *msg = tal(ctx, struct queued_message);
msg->type = type;
msg->tag = tal_dup_arr(msg, u8, tag, tal_count(tag), 0);
msg->payload = tal_dup_arr(msg, u8, payload, tal_count(payload), 0);
msg->tag = tal_dup_arr(msg, u8, tag, tal_len(tag), 0);
msg->payload = tal_dup_arr(msg, u8, payload, tal_len(payload), 0);
return msg;
}
@ -30,11 +31,13 @@ bool queue_broadcast(struct broadcast_state *bstate,
u64 index;
bool evicted = false;
memcheck(tag, tal_len(tag));
/* Remove any tag&type collisions */
for (msg = uintmap_first(&bstate->broadcasts, &index);
msg;
msg = uintmap_after(&bstate->broadcasts, &index)) {
if (msg->type == type && memcmp(msg->tag, tag, tal_count(tag)) == 0) {
if (msg->type == type && memcmp(msg->tag, tag, tal_len(tag)) == 0) {
uintmap_del(&bstate->broadcasts, index);
tal_free(msg);
evicted = true;

2
gossipd/routing.c
View File

@ -554,6 +554,7 @@ const struct short_channel_id *handle_channel_announcement(
tag = type_to_string(pending, struct short_channel_id,
&pending->short_channel_id);
tal_resize(&tag, strlen(tag));
/* BOLT #7:
*
@ -635,6 +636,7 @@ bool handle_pending_cannouncement(struct routing_state *rstate,
list_del_from(&rstate->pending_cannouncement, &pending->list);
tag = type_to_string(pending, struct short_channel_id, scid);
tal_resize(&tag, strlen(tag));
/* BOLT #7:
*