[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor/master] Avoid sign-extending when computing rend auth type.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [tor/master] Avoid sign-extending when computing rend auth type.
From: nickm@xxxxxxxxxxxxxx
Date: Mon, 17 Sep 2012 14:29:24 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 17 Sep 2012 10:29:41 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Sender: tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx

commit 96d2a21683cdfe25b549e13fa450d4b12fb945b2
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date:   Mon Sep 17 09:52:43 2012 -0400

    Avoid sign-extending when computing rend auth type.
    
    Right-shifting negative values has implementation-defined behavior.
    On all the platforms we work on right now, the behavior is to
    sign-extend the input.  That isn't what we wanted in
    
        auth_type_val = (descriptor_cookie_tmp[16] >> 4) + 1;
    
    Fix for 6861; bugfix on 0.2.1.5-alpha; reported pseudonymously.
    
    The broken behavior didn't actually hurt anything, I think, since the
    only way to get sign-extension to happen would be to have the top bit
    of descriptor_cookie_tmp[16] set, which would make the value of
    descriptor_cookie_tmp[16] >> 4 somewhere between 0b11111111 and
    0b11111000 (that is, between -1 and -8).  So auth_type_val would be
    between -7 and 0.  And the immediate next line does:
    
        if (auth_type_val < 1 || auth_type_val > 2) {
    
    So the incorrectly computed auth_type_val would be rejected as
    invalid, just as a correctly computed auth_type_val would be.
    
    Still, this stuff shouldn't sit around the codebase.
---
 changes/bug6861     |    3 +++
 src/or/rendclient.c |    2 +-
 2 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/changes/bug6861 b/changes/bug6861
new file mode 100644
index 0000000..1040bd7
--- /dev/null
+++ b/changes/bug6861
@@ -0,0 +1,3 @@
+  o Minor bugfixes:
+    - Fix handling of rendezvous client authorization types over 8.
+      Fixes bug 6841; bugfix on 0.2.1.5-alpha.
diff --git a/src/or/rendclient.c b/src/or/rendclient.c
index 73e1c41..2104a5b 100644
--- a/src/or/rendclient.c
+++ b/src/or/rendclient.c
@@ -1250,7 +1250,7 @@ rend_parse_service_authorization(const or_options_t *options,
                descriptor_cookie);
       goto err;
     }
-    auth_type_val = (descriptor_cookie_tmp[16] >> 4) + 1;
+    auth_type_val = (((uint8_t)descriptor_cookie_tmp[16]) >> 4) + 1;
     if (auth_type_val < 1 || auth_type_val > 2) {
       log_warn(LD_CONFIG, "Authorization cookie has unknown authorization "
                           "type encoded.");



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [tor/master] Turn the read_file_until_eof tests into a single implementation
Next by Author: [tor-commits] [tor/master] Merge branch 'bug6861_typofix'
Previous by thread: [tor-commits] [tor/master] Turn the read_file_until_eof tests into a single implementation
Next by thread: [tor-commits] [tor/master] Merge branch 'bug6861_typofix'
Index(es):
- Author
- Thread