From 3a42e52bcd756da768e86c5c202b285d3c7f12cc Mon Sep 17 00:00:00 2001 From: Christian Decker Date: Thu, 11 Jan 2018 14:57:00 +0100 Subject: [PATCH] gossip: Fix a memcmp with unset memory in broadcast queue `tal_fmt` overallocates the returned string under some circumstances, meaning that the trailer of the formatted string is unset, but still considered in `tal_len`. The solution then is to truncate the formatted string to the real string length. Only necessary here, since we mix strings and `tal_len`. Signed-off-by: Christian Decker --- gossipd/broadcast.c | 9 ++++++--- gossipd/routing.c | 2 ++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/gossipd/broadcast.c b/gossipd/broadcast.c index 4721858f0..08fe93ea1 100644 --- a/gossipd/broadcast.c +++ b/gossipd/broadcast.c @@ -1,3 +1,4 @@ +#include #include struct broadcast_state *new_broadcast_state(tal_t *ctx) @@ -16,8 +17,8 @@ static struct queued_message *new_queued_message(tal_t *ctx, { struct queued_message *msg = tal(ctx, struct queued_message); msg->type = type; - msg->tag = tal_dup_arr(msg, u8, tag, tal_count(tag), 0); - msg->payload = tal_dup_arr(msg, u8, payload, tal_count(payload), 0); + msg->tag = tal_dup_arr(msg, u8, tag, tal_len(tag), 0); + msg->payload = tal_dup_arr(msg, u8, payload, tal_len(payload), 0); return msg; } @@ -30,11 +31,13 @@ bool queue_broadcast(struct broadcast_state *bstate, u64 index; bool evicted = false; + memcheck(tag, tal_len(tag)); + /* Remove any tag&type collisions */ for (msg = uintmap_first(&bstate->broadcasts, &index); msg; msg = uintmap_after(&bstate->broadcasts, &index)) { - if (msg->type == type && memcmp(msg->tag, tag, tal_count(tag)) == 0) { + if (msg->type == type && memcmp(msg->tag, tag, tal_len(tag)) == 0) { uintmap_del(&bstate->broadcasts, index); tal_free(msg); evicted = true; diff --git a/gossipd/routing.c b/gossipd/routing.c index ea4949ea8..025942693 100644 --- a/gossipd/routing.c +++ b/gossipd/routing.c @@ -554,6 +554,7 @@ const struct short_channel_id *handle_channel_announcement( tag = type_to_string(pending, struct short_channel_id, &pending->short_channel_id); + tal_resize(&tag, strlen(tag)); /* BOLT #7: * @@ -635,6 +636,7 @@ bool handle_pending_cannouncement(struct routing_state *rstate, list_del_from(&rstate->pending_cannouncement, &pending->list); tag = type_to_string(pending, struct short_channel_id, scid); + tal_resize(&tag, strlen(tag)); /* BOLT #7: *