diff options
| author | Nick Mathewson <nickm@torproject.org> | 2015-06-25 10:41:15 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2015-06-25 10:41:15 -0400 |
| commit | fce2a15ffbea9a2a54b0686c2859a1ee1039a660 (patch) | |
| tree | c13bb3bb3ec8b7df8feb75479f0156d24a9168c4 | |
| parent | 3f336966a264d7cd7c6dab08fb85d85273f06d68 (diff) | |
| parent | 03e3cf6a7aa86c74d01cebd61c9ad89200661e73 (diff) | |
| download | tor-fce2a15ffbea9a2a54b0686c2859a1ee1039a660.tar.gz tor-fce2a15ffbea9a2a54b0686c2859a1ee1039a660.zip | |
Merge remote-tracking branch 'origin/maint-0.2.6'
| -rw-r--r-- | changes/bug16400 | 5 | ||||
| -rw-r--r-- | src/or/routerparse.c | 14 | ||||
| -rw-r--r-- | src/test/test_microdesc.c | 34 |
3 files changed, 50 insertions, 3 deletions
diff --git a/changes/bug16400 b/changes/bug16400 new file mode 100644 index 0000000000..3e5f9c5843 --- /dev/null +++ b/changes/bug16400 @@ -0,0 +1,5 @@ + o Major bugfixes: + - Do not crash with an assertion error when parsing certain kinds + of malformed or truncated microdescriptors. Fixes bug 16400; + bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch by + "cypherpunks_backup". diff --git a/src/or/routerparse.c b/src/or/routerparse.c index ae50cda248..3904671d01 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2001 Matej Pfajfar. + /* Copyright (c) 2001 Matej Pfajfar. * Copyright (c) 2001-2004, Roger Dingledine. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. * Copyright (c) 2007-2015, The Tor Project, Inc. */ @@ -4479,7 +4479,10 @@ microdescs_parse_from_string(const char *s, const char *eos, { const char *cp = tor_memstr(s, start_of_next_microdesc-s, "onion-key"); - tor_assert(cp); + const int no_onion_key = (cp == NULL); + if (no_onion_key) { + cp = s; /* So that we have *some* junk to put in the body */ + } md->bodylen = start_of_next_microdesc - cp; md->saved_location = where; @@ -4488,8 +4491,13 @@ microdescs_parse_from_string(const char *s, const char *eos, else md->body = (char*)cp; md->off = cp - start; + crypto_digest256(md->digest, md->body, md->bodylen, DIGEST_SHA256); + if (no_onion_key) { + log_fn(LOG_PROTOCOL_WARN, LD_DIR, "Malformed or truncated descriptor"); + goto next; + } } - crypto_digest256(md->digest, md->body, md->bodylen, DIGEST_SHA256); + if (tokenize_string(area, s, start_of_next_microdesc, tokens, microdesc_token_table, flags)) { diff --git a/src/test/test_microdesc.c b/src/test/test_microdesc.c index 5dc5b2b4fa..a4b9a0cc05 100644 --- a/src/test/test_microdesc.c +++ b/src/test/test_microdesc.c @@ -807,12 +807,46 @@ test_md_reject_cache(void *arg) tor_free(mock_ns_val); } +static void +test_md_corrupt_desc(void *arg) +{ + char *cp = NULL; + smartlist_t *sl = NULL; + (void) arg; + + sl = microdescs_add_to_cache(get_microdesc_cache(), + "@last-listed 2015-06-22 10:00:00\n" + "onion-k\n", + NULL, SAVED_IN_JOURNAL, 0, time(NULL), NULL); + tt_int_op(smartlist_len(sl), ==, 0); + smartlist_free(sl); + + sl = microdescs_add_to_cache(get_microdesc_cache(), + "@last-listed 2015-06-22 10:00:00\n" + "wiggly\n", + NULL, SAVED_IN_JOURNAL, 0, time(NULL), NULL); + tt_int_op(smartlist_len(sl), ==, 0); + smartlist_free(sl); + + tor_asprintf(&cp, "%s\n%s", test_md1, "@foobar\nonion-wobble\n"); + + sl = microdescs_add_to_cache(get_microdesc_cache(), + cp, cp+strlen(cp), + SAVED_IN_JOURNAL, 0, time(NULL), NULL); + tt_int_op(smartlist_len(sl), ==, 0); + smartlist_free(sl); + + done: + tor_free(cp); +} + struct testcase_t microdesc_tests[] = { { "cache", test_md_cache, TT_FORK, NULL, NULL }, { "broken_cache", test_md_cache_broken, TT_FORK, NULL, NULL }, { "generate", test_md_generate, 0, NULL, NULL }, { "parse", test_md_parse, 0, NULL, NULL }, { "reject_cache", test_md_reject_cache, TT_FORK, NULL, NULL }, + { "corrupt_desc", test_md_corrupt_desc, TT_FORK, NULL, NULL }, END_OF_TESTCASES }; |