Merge branch 'maint-0.2.7-redux' into maint-0.2.8

3 files changed, 21 insertions, 2 deletions

diff --git a/changes/bug22789 b/changes/bug22789
new file mode 100644
index 0000000000..dc9fa29811
--- /dev/null
+++ b/changes/bug22789
@@ -0,0 +1,6 @@
+  o Major bugfixes (openbsd, denial-of-service):
+    - Avoid an assertion failure bug affecting our implementation of
+      inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
+      handling of "0xfoo" differs from what we had expected.
+      Fixes bug 22789; bugfix on 0.2.3.8-alpha.
+
diff --git a/src/common/compat.c b/src/common/compat.c
index 23eaa134cf..ede850792f 100644
--- a/src/common/compat.c
+++ b/src/common/compat.c
@@ -2610,8 +2610,12 @@ tor_inet_pton(int af, const char *src, void *dst)
         char *next;
         ssize_t len;
         long r = strtol(src, &next, 16);
-        tor_assert(next != NULL);
-        tor_assert(next != src);
+        if (next == NULL || next == src) {
+          /* The 'next == src' error case can happen on versions of openbsd
+           * where treats "0xfoo" as an error, rather than as "0" followed by
+           * "xfoo". */
+          return 0;
+        }
 
         len = *next == '\0' ? eow - src : next - src;
         if (len > 4)
diff --git a/src/test/test_addr.c b/src/test/test_addr.c
index 337bddad6b..56e79d707a 100644
--- a/src/test/test_addr.c
+++ b/src/test/test_addr.c
@@ -354,6 +354,15 @@ test_addr_ip6_helpers(void *arg)
   test_pton6_bad("1.2.3.4");
   test_pton6_bad(":1.2.3.4");
   test_pton6_bad(".2.3.4");
+  /* Regression tests for 22789. */
+  test_pton6_bad("0xfoo");
+  test_pton6_bad("0x88");
+  test_pton6_bad("0xyxxy");
+  test_pton6_bad("0XFOO");
+  test_pton6_bad("0X88");
+  test_pton6_bad("0XYXXY");
+  test_pton6_bad("0x");
+  test_pton6_bad("0X");
 
   /* test internal checking */
   test_external_ip("fbff:ffff::2:7", 0);