diff options
| author | Nick Mathewson <nickm@torproject.org> | 2011-01-19 13:25:38 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2011-01-19 13:25:38 -0500 |
| commit | a793f1f6f2bd7b774e3b001468df4ea72bdeffc4 (patch) | |
| tree | 5d889cdfdeba508313009def28a385c6b7dd3d76 | |
| parent | 9bb947ea149908aa14d9ba7ec67e351da6471812 (diff) | |
| parent | c8f94eed12c0a7e8226bdadcd26570e29152f299 (diff) | |
| download | tor-a793f1f6f2bd7b774e3b001468df4ea72bdeffc4.tar.gz tor-a793f1f6f2bd7b774e3b001468df4ea72bdeffc4.zip | |
Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2
| -rw-r--r-- | changes/routerparse_maxima | 4 | ||||
| -rw-r--r-- | src/or/routerparse.c | 17 |
2 files changed, 21 insertions, 0 deletions
diff --git a/changes/routerparse_maxima b/changes/routerparse_maxima new file mode 100644 index 0000000000..340f2c3c2d --- /dev/null +++ b/changes/routerparse_maxima @@ -0,0 +1,4 @@ + o Minor bugfixes + - Check for and reject overly long directory certificates and + directory tokens before they have a chance to hit any + assertions. Bugfix on 0.2.1.28. Found by doorss. diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 08f81d9f76..5ceb298b8b 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -1720,6 +1720,10 @@ extrainfo_parse_entry_from_string(const char *s, const char *end, authority_cert_t * authority_cert_parse_from_string(const char *s, const char **end_of_string) { + /** Reject any certificate at least this big; it is probably an overflow, an + * attack, a bug, or some other nonsense. */ +#define MAX_CERT_SIZE (128*1024) + authority_cert_t *cert = NULL, *old_cert; smartlist_t *tokens = NULL; char digest[DIGEST_LEN]; @@ -1747,6 +1751,12 @@ authority_cert_parse_from_string(const char *s, const char **end_of_string) ++eos; len = eos - s; + if (len > MAX_CERT_SIZE) { + log_warn(LD_DIR, "Certificate is far too big (at %lu bytes long); " + "rejecting", (unsigned long)len); + return NULL; + } + tokens = smartlist_create(); area = memarea_new(); if (tokenize_string(area,s, eos, tokens, dir_key_certificate_table, 0) < 0) { @@ -3818,6 +3828,9 @@ get_next_token(memarea_t *area, /** Reject any object at least this big; it is probably an overflow, an * attack, a bug, or some other nonsense. */ #define MAX_UNPARSED_OBJECT_SIZE (128*1024) + /** Reject any line at least this big; it is probably an overflow, an + * attack, a bug, or some other nonsense. */ +#define MAX_LINE_LENGTH (128*1024) const char *next, *eol, *obstart; size_t obname_len; @@ -3837,6 +3850,10 @@ get_next_token(memarea_t *area, eol = memchr(*s, '\n', eos-*s); if (!eol) eol = eos; + if (eol - *s > MAX_LINE_LENGTH) { + RET_ERR("Line far too long"); + } + next = find_whitespace_eos(*s, eol); if (!strcmp_len(*s, "opt", next-*s)) { |