[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] [tor/master] Oops; actually add the code to the last patch. :/
commit c8f94eed12c0a7e8226bdadcd26570e29152f299
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Wed Jan 19 13:25:17 2011 -0500
Oops; actually add the code to the last patch. :/
---
src/or/routerparse.c | 17 +++++++++++++++++
1 files changed, 17 insertions(+), 0 deletions(-)
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 3778509..aa0687d 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -1583,6 +1583,10 @@ extrainfo_parse_entry_from_string(const char *s, const char *end,
authority_cert_t *
authority_cert_parse_from_string(const char *s, const char **end_of_string)
{
+ /** Reject any certificate at least this big; it is probably an overflow, an
+ * attack, a bug, or some other nonsense. */
+#define MAX_CERT_SIZE (128*1024)
+
authority_cert_t *cert = NULL, *old_cert;
smartlist_t *tokens = NULL;
char digest[DIGEST_LEN];
@@ -1609,6 +1613,12 @@ authority_cert_parse_from_string(const char *s, const char **end_of_string)
++eos;
len = eos - s;
+ if (len > MAX_CERT_SIZE) {
+ log_warn(LD_DIR, "Certificate is far too big (at %lu bytes long); "
+ "rejecting", (unsigned long)len);
+ return NULL;
+ }
+
tokens = smartlist_create();
area = memarea_new();
if (tokenize_string(area,s, eos, tokens, dir_key_certificate_table, 0) < 0) {
@@ -3024,6 +3034,9 @@ get_next_token(memarea_t *area,
/** Reject any object at least this big; it is probably an overflow, an
* attack, a bug, or some other nonsense. */
#define MAX_UNPARSED_OBJECT_SIZE (128*1024)
+ /** Reject any line at least this big; it is probably an overflow, an
+ * attack, a bug, or some other nonsense. */
+#define MAX_LINE_LENGTH (128*1024)
const char *next, *eol, *obstart;
size_t obname_len;
@@ -3043,6 +3056,10 @@ get_next_token(memarea_t *area,
eol = memchr(*s, '\n', eos-*s);
if (!eol)
eol = eos;
+ if (eol - *s > MAX_LINE_LENGTH) {
+ RET_ERR("Line far too long");
+ }
+
next = find_whitespace_eos(*s, eol);
if (!strcmp_len(*s, "opt", next-*s)) {