Browse Source

gossip: Fix a memcmp with unset memory in broadcast queue

`tal_fmt` overallocates the returned string under some circumstances,
meaning that the trailer of the formatted string is unset, but still
considered in `tal_len`. The solution then is to truncate the
formatted string to the real string length. Only necessary here, since
we mix strings and `tal_len`.

Signed-off-by: Christian Decker <decker.christian@gmail.com>
ppa-0.6.1
Christian Decker 7 years ago
committed by Rusty Russell
parent
commit
3a42e52bcd
  1. 9
      gossipd/broadcast.c
  2. 2
      gossipd/routing.c

9
gossipd/broadcast.c

@ -1,3 +1,4 @@
#include <ccan/mem/mem.h>
#include <gossipd/broadcast.h>
struct broadcast_state *new_broadcast_state(tal_t *ctx)
@ -16,8 +17,8 @@ static struct queued_message *new_queued_message(tal_t *ctx,
{
struct queued_message *msg = tal(ctx, struct queued_message);
msg->type = type;
msg->tag = tal_dup_arr(msg, u8, tag, tal_count(tag), 0);
msg->payload = tal_dup_arr(msg, u8, payload, tal_count(payload), 0);
msg->tag = tal_dup_arr(msg, u8, tag, tal_len(tag), 0);
msg->payload = tal_dup_arr(msg, u8, payload, tal_len(payload), 0);
return msg;
}
@ -30,11 +31,13 @@ bool queue_broadcast(struct broadcast_state *bstate,
u64 index;
bool evicted = false;
memcheck(tag, tal_len(tag));
/* Remove any tag&type collisions */
for (msg = uintmap_first(&bstate->broadcasts, &index);
msg;
msg = uintmap_after(&bstate->broadcasts, &index)) {
if (msg->type == type && memcmp(msg->tag, tag, tal_count(tag)) == 0) {
if (msg->type == type && memcmp(msg->tag, tag, tal_len(tag)) == 0) {
uintmap_del(&bstate->broadcasts, index);
tal_free(msg);
evicted = true;

2
gossipd/routing.c

@ -554,6 +554,7 @@ const struct short_channel_id *handle_channel_announcement(
tag = type_to_string(pending, struct short_channel_id,
&pending->short_channel_id);
tal_resize(&tag, strlen(tag));
/* BOLT #7:
*
@ -635,6 +636,7 @@ bool handle_pending_cannouncement(struct routing_state *rstate,
list_del_from(&rstate->pending_cannouncement, &pending->list);
tag = type_to_string(pending, struct short_channel_id, scid);
tal_resize(&tag, strlen(tag));
/* BOLT #7:
*

Loading…
Cancel
Save