[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r19250: {tor} Fix a few crash bugs related to malormed descriptors. Lark f (in tor/trunk: . src/or)
Author: nickm
Date: 2009-04-09 15:58:16 -0400 (Thu, 09 Apr 2009)
New Revision: 19250
Modified:
tor/trunk/ChangeLog
tor/trunk/src/or/routerparse.c
Log:
Fix a few crash bugs related to malormed descriptors. Lark found one; fuzzing found the rest.
Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog 2009-04-09 04:12:10 UTC (rev 19249)
+++ tor/trunk/ChangeLog 2009-04-09 19:58:16 UTC (rev 19250)
@@ -1,4 +1,8 @@
Changes in version 0.2.1.14-??? - 2009-04-??
+ o Security fixes:
+ - Avoid crashing in the presence of certain malformed descriptors.
+ Found by lark, and by automated fuzzing.
+
o Minor bugfixes:
- Avoid trying to print raw memory to the logs when we decide to
give up on downloading a given relay descriptor. Bugfix on
Modified: tor/trunk/src/or/routerparse.c
===================================================================
--- tor/trunk/src/or/routerparse.c 2009-04-09 04:12:10 UTC (rev 19249)
+++ tor/trunk/src/or/routerparse.c 2009-04-09 19:58:16 UTC (rev 19250)
@@ -411,7 +411,7 @@
T0N("opt", K_OPT, CONCAT_ARGS, OBJ_OK ),
- T1N("dir-source", K_DIR_SOURCE, GE(3), NO_OBJ ),
+ T1N("dir-source", K_DIR_SOURCE, GE(6), NO_OBJ ),
T1N("contact", K_CONTACT, CONCAT_ARGS, NO_OBJ ),
T1N("vote-digest", K_VOTE_DIGEST, GE(1), NO_OBJ ),
@@ -1933,7 +1933,7 @@
tor_assert(tok->n_args == 1);
if (strcmpstart(tok->args[0], "accept ") &&
strcmpstart(tok->args[0], "reject ")) {
- log_err(LD_DIR, "Unknown exit policy summary type %s.",
+ log_warn(LD_DIR, "Unknown exit policy summary type %s.",
escaped(tok->args[0]));
goto err;
}
@@ -2311,8 +2311,7 @@
ns->voters = smartlist_create();
- SMARTLIST_FOREACH(tokens, directory_token_t *, _tok,
- {
+ SMARTLIST_FOREACH_BEGIN(tokens, directory_token_t *, _tok) {
tok = _tok;
if (tok->tp == K_DIR_SOURCE) {
tor_assert(tok->n_args >= 6);
@@ -2369,11 +2368,11 @@
base16_decode(voter->vote_digest, sizeof(voter->vote_digest),
tok->args[0], HEX_DIGEST_LEN) < 0) {
log_warn(LD_DIR, "Error decoding vote digest %s in "
- "network-status consensus.", escaped(tok->args[1]));
+ "network-status consensus.", escaped(tok->args[0]));
goto err;
}
}
- });
+ } SMARTLIST_FOREACH_END(_tok);
if (voter) {
smartlist_add(ns->voters, voter);
voter = NULL;
@@ -2903,6 +2902,7 @@
case NEED_KEY: /* There must be some kind of key. */
if (!tok->key) {
tor_snprintf(ebuf, sizeof(ebuf), "Missing public key for %s", kwd);
+ RET_ERR(ebuf);
}
if (o_syn != NEED_SKEY_1024) {
if (crypto_pk_key_is_private(tok->key)) {
@@ -3049,8 +3049,7 @@
goto check_object;
obstart = *s; /* Set obstart to start of object spec */
- tor_assert(eol >= (*s+16));
- if (*s+11 >= eol-5 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
+ if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
strcmp_len(eol-5, "-----", 5)) { /* nuls or invalid endings */
RET_ERR("Malformed object: bad begin line");
}