Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2

Conflicts: src/or/routerparse.c src/or/test.c
author: Nick Mathewson <nickm@torproject.org> 2011-01-15 13:25:13 -0500
committer: Nick Mathewson <nickm@torproject.org> 2011-01-15 13:25:13 -0500
commit: 1393985768d760e11e45faabb537d28248306e8b (patch)
tree: 61b35b3b734f8a920a08cc9a9ecb70e408cd4a58
parent: 9d133464c874191414dd51f546d09364419040cf (diff)
parent: b97b0efec81c5564999c2545dd7f0ca230b239cc (diff)
download: tor-1393985768d760e11e45faabb537d28248306e8b.tar.gz
tor-1393985768d760e11e45faabb537d28248306e8b.zip
5 files changed, 30 insertions, 14 deletions
diff --git a/changes/bug2352 b/changes/bug2352
new file mode 100644
index 0000000000..744dbdb20f
--- /dev/null
+++ b/changes/bug2352
@@ -0,0 +1,6 @@
+  o Minor bugfixes
+    - Fix some potential asserts and partsing issues with grossly
+      malformed router caches.  Fixes bug 2352.  Found by doorss.
+      Bugfix on Tor 0.2.1.27.
+
+
diff --git a/src/common/crypto.c b/src/common/crypto.c
index 15b58188ed..1d12a9d32d 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -518,21 +518,23 @@ crypto_pk_generate_key_with_bits(crypto_pk_env_t *env, int bits)
   return 0;
 }
 
-/** Read a PEM-encoded private key from the string <b>s</b> into <b>env</b>.
- * Return 0 on success, -1 on failure.
+/** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b>
+ * into <b>env</b>.  Return 0 on success, -1 on failure.  If len is -1,
+ * the string is nul-terminated.
  */
 /* Used here, and used for testing. */
 int
 crypto_pk_read_private_key_from_string(crypto_pk_env_t *env,
-                                       const char *s)
+                                       const char *s, ssize_t len)
 {
   BIO *b;
 
   tor_assert(env);
   tor_assert(s);
+  tor_assert(len < INT_MAX && len < SIZE_T_CEILING);
 
-  /* Create a read-only memory BIO, backed by the NUL-terminated string 's' */
-  b = BIO_new_mem_buf((char*)s, -1);
+  /* Create a read-only memory BIO, backed by the string 's' */
+  b = BIO_new_mem_buf((char*)s, (int)len);
 
   if (env->key)
     RSA_free(env->key);
@@ -566,7 +568,7 @@ crypto_pk_read_private_key_from_filename(crypto_pk_env_t *env,
   }
 
   /* Try to parse it. */
-  r = crypto_pk_read_private_key_from_string(env, contents);
+  r = crypto_pk_read_private_key_from_string(env, contents, -1);
   tor_free(contents);
   if (r)
     return -1; /* read_private_key_from_string already warned, so we don't.*/
diff --git a/src/common/crypto.h b/src/common/crypto.h
index 29ba36cdf6..c306bec276 100644
--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@@ -112,7 +112,7 @@ int crypto_pk_write_private_key_to_string(crypto_pk_env_t *env,
 int crypto_pk_read_public_key_from_string(crypto_pk_env_t *env,
                                           const char *src, size_t len);
 int crypto_pk_read_private_key_from_string(crypto_pk_env_t *env,
-                                           const char *s);
+                                           const char *s, ssize_t len);
 int crypto_pk_write_private_key_to_filename(crypto_pk_env_t *env,
                                             const char *fname);
 
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 66d024ecd4..a6eef2df6c 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -3227,7 +3227,7 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out,
       }
       sig->good_signature = 1;
     } else {
-      if (tok->object_size >= INT_MAX) {
+      if (tok->object_size >= INT_MAX || tok->object_size >= SIZE_T_CEILING) {
         tor_free(sig);
         goto err;
       }
@@ -3496,7 +3496,7 @@ networkstatus_parse_detached_signatures(const char *s, const char *eos)
     sig->alg = alg;
     memcpy(sig->identity_digest, id_digest, DIGEST_LEN);
     memcpy(sig->signing_key_digest, sk_digest, DIGEST_LEN);
-    if (tok->object_size >= INT_MAX) {
+    if (tok->object_size >= INT_MAX || tok->object_size >= SIZE_T_CEILING) {
       tor_free(sig);
       goto err;
     }
@@ -3814,6 +3814,10 @@ static directory_token_t *
 get_next_token(memarea_t *area,
                const char **s, const char *eos, token_rule_t *table)
 {
+  /** Reject any object at least this big; it is probably an overflow, an
+   * attack, a bug, or some other nonsense. */
+#define MAX_UNPARSED_OBJECT_SIZE (128*1024)
+
   const char *next, *eol, *obstart;
   size_t obname_len;
   int i;
@@ -3898,7 +3902,8 @@ get_next_token(memarea_t *area,
 
   obstart = *s; /* Set obstart to start of object spec */
   if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
-      strcmp_len(eol-5, "-----", 5)) {          /* nuls or invalid endings */
+      strcmp_len(eol-5, "-----", 5) ||           /* nuls or invalid endings */
+      (eol-*s) > MAX_UNPARSED_OBJECT_SIZE) {     /* name too long */
     RET_ERR("Malformed object: bad begin line");
   }
   tok->object_type = STRNDUP(*s+11, eol-*s-16);
@@ -3923,13 +3928,16 @@ get_next_token(memarea_t *area,
     ebuf[sizeof(ebuf)-1] = '\0';
     RET_ERR(ebuf);
   }
+  if (next - *s > MAX_UNPARSED_OBJECT_SIZE)
+    RET_ERR("Couldn't parse object: missing footer or object much too big.");
+
   if (!strcmp(tok->object_type, "RSA PUBLIC KEY")) { /* If it's a public key */
     tok->key = crypto_new_pk_env();
     if (crypto_pk_read_public_key_from_string(tok->key, obstart, eol-obstart))
       RET_ERR("Couldn't parse public key.");
   } else if (!strcmp(tok->object_type, "RSA PRIVATE KEY")) { /* private key */
     tok->key = crypto_new_pk_env();
-    if (crypto_pk_read_private_key_from_string(tok->key, obstart))
+    if (crypto_pk_read_private_key_from_string(tok->key, obstart, eol-obstart))
       RET_ERR("Couldn't parse private key.");
   } else { /* If it's something else, try to base64-decode it */
     int r;
diff --git a/src/test/test_dir.c b/src/test/test_dir.c
index c7c5a0b72b..e61815027c 100644
--- a/src/test/test_dir.c
+++ b/src/test/test_dir.c
@@ -745,11 +745,11 @@ test_dir_v3_networkstatus(void)
   sign_skey_leg1 = pk_generate(4);
 
   test_assert(!crypto_pk_read_private_key_from_string(sign_skey_1,
-                                                      AUTHORITY_SIGNKEY_1));
+                                                      AUTHORITY_SIGNKEY_1, -1));
   test_assert(!crypto_pk_read_private_key_from_string(sign_skey_2,
-                                                      AUTHORITY_SIGNKEY_2));
+                                                      AUTHORITY_SIGNKEY_2, -1));
   test_assert(!crypto_pk_read_private_key_from_string(sign_skey_3,
-                                                      AUTHORITY_SIGNKEY_3));
+                                                      AUTHORITY_SIGNKEY_3, -1));
 
   test_assert(!crypto_pk_cmp_keys(sign_skey_1, cert1->signing_key));
   test_assert(!crypto_pk_cmp_keys(sign_skey_2, cert2->signing_key));
author	Nick Mathewson <nickm@torproject.org>	2011-01-15 13:25:13 -0500
committer	Nick Mathewson <nickm@torproject.org>	2011-01-15 13:25:13 -0500
commit	1393985768d760e11e45faabb537d28248306e8b (patch)
tree	61b35b3b734f8a920a08cc9a9ecb70e408cd4a58
parent	9d133464c874191414dd51f546d09364419040cf (diff)
parent	b97b0efec81c5564999c2545dd7f0ca230b239cc (diff)
download	tor-1393985768d760e11e45faabb537d28248306e8b.tar.gz tor-1393985768d760e11e45faabb537d28248306e8b.zip