[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/master] rust: Fix ProtoSet and ProtoEntry to use the same DoS limits as C.
commit f2daf82794c59c37756abeaf3e41e5ebe1e7fcde
Author: Isis Lovecruft <isis@xxxxxxxxxxxxxx>
Date: Tue Mar 27 22:46:14 2018 +0000
rust: Fix ProtoSet and ProtoEntry to use the same DoS limits as C.
Previously, the limit for MAX_PROTOCOLS_TO_EXPAND was actually being applied
in Rust to the maximum number of version (total, for all subprotocols).
Whereas in C, it was being applied to the number of subprotocols that were
allowed. This changes the Rust to match C's behaviour.
---
src/rust/protover/protoset.rs | 14 +++++++-------
src/rust/protover/protover.rs | 18 +++++++++++++++---
src/rust/protover/tests/protover.rs | 14 --------------
3 files changed, 22 insertions(+), 24 deletions(-)
diff --git a/src/rust/protover/protoset.rs b/src/rust/protover/protoset.rs
index f94e6299c..4afc50edf 100644
--- a/src/rust/protover/protoset.rs
+++ b/src/rust/protover/protoset.rs
@@ -8,7 +8,6 @@ use std::slice;
use std::str::FromStr;
use std::u32;
-use protover::MAX_PROTOCOLS_TO_EXPAND;
use errors::ProtoverError;
/// A single version number.
@@ -183,10 +182,6 @@ impl ProtoSet {
last_high = high;
}
- if self.len() > MAX_PROTOCOLS_TO_EXPAND {
- return Err(ProtoverError::ExceedsMax);
- }
-
Ok(self)
}
@@ -317,9 +312,15 @@ impl FromStr for ProtoSet {
/// assert!(protoset.contains(&5));
/// assert!(!protoset.contains(&10));
///
- /// // We can also equivalently call `ProtoSet::from_str` by doing:
+ /// // We can also equivalently call `ProtoSet::from_str` by doing (all
+ /// // implementations of `FromStr` can be called this way, this one isn't
+ /// // special):
/// let protoset: ProtoSet = "4-6,12".parse()?;
///
+ /// // Calling it (either way) can take really large ranges (up to `u32::MAX`):
+ /// let protoset: ProtoSet = "1-70000".parse()?;
+ /// let protoset: ProtoSet = "1-4294967296".parse()?;
+ ///
/// // There are lots of ways to get an `Err` from this function. Here are
/// // a few:
/// assert_eq!(Err(ProtoverError::Unparseable), ProtoSet::from_str("="));
@@ -327,7 +328,6 @@ impl FromStr for ProtoSet {
/// assert_eq!(Err(ProtoverError::Unparseable), ProtoSet::from_str("not_an_int"));
/// assert_eq!(Err(ProtoverError::Unparseable), ProtoSet::from_str("3-"));
/// assert_eq!(Err(ProtoverError::Unparseable), ProtoSet::from_str("1-,4"));
- /// assert_eq!(Err(ProtoverError::ExceedsMax), ProtoSet::from_str("1-70000"));
///
/// // Things which would get parsed into an _empty_ `ProtoSet` are,
/// // however, legal, and result in an empty `ProtoSet`:
diff --git a/src/rust/protover/protover.rs b/src/rust/protover/protover.rs
index b4fb2e842..514aeffc5 100644
--- a/src/rust/protover/protover.rs
+++ b/src/rust/protover/protover.rs
@@ -26,7 +26,7 @@ const FIRST_TOR_VERSION_TO_ADVERTISE_PROTOCOLS: &'static str = "0.2.9.3-alpha";
/// before concluding that someone is trying to DoS us
///
/// C_RUST_COUPLED: src/or/protover.c `MAX_PROTOCOLS_TO_EXPAND`
-pub(crate) const MAX_PROTOCOLS_TO_EXPAND: usize = (1<<16);
+const MAX_PROTOCOLS_TO_EXPAND: usize = (1<<16);
/// Known subprotocols in Tor. Indicates which subprotocol a relay supports.
///
@@ -155,6 +155,10 @@ impl ProtoEntry {
supported.parse()
}
+ pub fn len(&self) -> usize {
+ self.0.len()
+ }
+
pub fn get(&self, protocol: &Protocol) -> Option<&ProtoSet> {
self.0.get(protocol)
}
@@ -209,8 +213,11 @@ impl FromStr for ProtoEntry {
let proto_name: Protocol = proto.parse()?;
proto_entry.insert(proto_name, versions);
- }
+ if proto_entry.len() > MAX_PROTOCOLS_TO_EXPAND {
+ return Err(ProtoverError::ExceedsMax);
+ }
+ }
Ok(proto_entry)
}
}
@@ -723,8 +730,13 @@ mod test {
}
#[test]
+ fn test_protoentry_from_str_allowed_number_of_versions() {
+ assert_protoentry_is_parseable!("Desc=1-4294967294");
+ }
+
+ #[test]
fn test_protoentry_from_str_too_many_versions() {
- assert_protoentry_is_unparseable!("Desc=1-65537");
+ assert_protoentry_is_unparseable!("Desc=1-4294967295");
}
#[test]
diff --git a/src/rust/protover/tests/protover.rs b/src/rust/protover/tests/protover.rs
index 11015f35b..2db01a163 100644
--- a/src/rust/protover/tests/protover.rs
+++ b/src/rust/protover/tests/protover.rs
@@ -353,13 +353,6 @@ fn protover_all_supported_should_exclude_some_versions_and_entire_protocols() {
}
#[test]
-#[should_panic(expected = "called `Result::unwrap()` on an `Err` value: ExceedsMax")]
-// C_RUST_DIFFERS: This test fails in Rust (but not in C) because an
-// UnvalidatedProtoEntry is defined as a Hashmap<UnknownProtocol, ProtoSet>.
-// Because it contains the ProtoSet part, there's still *some* validation
-// happening, so in this case the DoS protections in the Rust code are kicking
-// in because the range here is exceeds the maximum, so it returns an
-// Err(ProtoverError::ExceedsMax). The C, however seems to parse it anyway.
fn protover_all_supported_should_not_dos_anyones_computer() {
let proto: UnvalidatedProtoEntry = "Sleen=0-2147483648".parse().unwrap();
let result: String = proto.all_supported().unwrap().to_string();
@@ -368,13 +361,6 @@ fn protover_all_supported_should_not_dos_anyones_computer() {
}
#[test]
-#[should_panic(expected = "called `Result::unwrap()` on an `Err` value: ExceedsMax")]
-// C_RUST_DIFFERS: This test fails in Rust (but not in C) because an
-// UnvalidatedProtoEntry is defined as a Hashmap<UnknownProtocol, ProtoSet>.
-// Because it contains the ProtoSet part, there's still *some* validation
-// happening, so in this case the DoS protections in the Rust code are kicking
-// in because the range here is exceeds the maximum, so it returns an
-// Err(ProtoverError::ExceedsMax). The C, however seems to parse it anyway.
fn protover_all_supported_should_not_dos_anyones_computer_max_versions() {
let proto: UnvalidatedProtoEntry = "Sleen=0-4294967294".parse().unwrap();
let result: String = proto.all_supported().unwrap().to_string();
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits