summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2013-04-17 10:45:45 -0400
committerNick Mathewson <nickm@torproject.org>2013-04-17 10:45:45 -0400
commit42731f69efc1f7b0614a33cd6ea7a70903bfc98b (patch)
tree3b5d5e5eedb704f116d26367546c002ebf02d0ca
parenta6545d6335cd7829cdc9c0d7ce2e61b775bcca1d (diff)
parent0cf2c01dbd9b86d396a55186e0656db33c7929d8 (diff)
downloadtor-42731f69efc1f7b0614a33cd6ea7a70903bfc98b.tar.gz
tor-42731f69efc1f7b0614a33cd6ea7a70903bfc98b.zip
Merge branch 'bug8037_squashed' into maint-0.2.4
-rw-r--r--changes/bug80378
-rw-r--r--src/common/util.c14
-rw-r--r--src/common/util.h3
-rw-r--r--src/or/routerparse.c13
4 files changed, 35 insertions, 3 deletions
diff --git a/changes/bug8037 b/changes/bug8037
new file mode 100644
index 0000000000..989745fc39
--- /dev/null
+++ b/changes/bug8037
@@ -0,0 +1,8 @@
+ o Minor bugfixes:
+ - Correctly store microdescriptors and extrainfo descriptors with
+ an internal NUL byte. Fixes bug 8037; bugfix on 0.2.0.1-alpha.
+ Bug reported by "cypherpunks".
+
+ o Minor features:
+ - Reject as invalid most directory objects containing a
+ NUL. Belt-and-suspender fix for bug 8037.
diff --git a/src/common/util.c b/src/common/util.c
index 2f1bc6171b..db160fdf0a 100644
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -281,6 +281,20 @@ tor_memdup_(const void *mem, size_t len DMALLOC_PARAMS)
return dup;
}
+/** As tor_memdup(), but add an extra 0 byte at the end of the resulting
+ * memory. */
+void *
+tor_memdup_nulterm(const void *mem, size_t len DMALLOC_PARAMS)
+{
+ char *dup;
+ tor_assert(len < SIZE_T_CEILING+1);
+ tor_assert(mem);
+ dup = tor_malloc_(len+1 DMALLOC_FN_ARGS);
+ memcpy(dup, mem, len);
+ dup[len] = '\0';
+ return dup;
+}
+
/** Helper for places that need to take a function pointer to the right
* spelling of "free()". */
void
diff --git a/src/common/util.h b/src/common/util.h
index 712352b032..96a02dd775 100644
--- a/src/common/util.h
+++ b/src/common/util.h
@@ -83,6 +83,8 @@ char *tor_strndup_(const char *s, size_t n DMALLOC_PARAMS)
ATTR_MALLOC ATTR_NONNULL((1));
void *tor_memdup_(const void *mem, size_t len DMALLOC_PARAMS)
ATTR_MALLOC ATTR_NONNULL((1));
+void *tor_memdup_nulterm_(const void *mem, size_t len DMALLOC_PARAMS)
+ ATTR_MALLOC ATTR_NONNULL((1));
void tor_free_(void *mem);
#ifdef USE_DMALLOC
extern int dmalloc_free(const char *file, const int line, void *pnt,
@@ -116,6 +118,7 @@ extern int dmalloc_free(const char *file, const int line, void *pnt,
#define tor_strdup(s) tor_strdup_(s DMALLOC_ARGS)
#define tor_strndup(s, n) tor_strndup_(s, n DMALLOC_ARGS)
#define tor_memdup(s, n) tor_memdup_(s, n DMALLOC_ARGS)
+#define tor_memdup_nulterm(s, n) tor_memdup_nulterm_(s, n DMALLOC_ARGS)
void tor_log_mallinfo(int severity);
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 0eadcc90f7..370cf2682e 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -1494,7 +1494,7 @@ extrainfo_parse_entry_from_string(const char *s, const char *end,
extrainfo = tor_malloc_zero(sizeof(extrainfo_t));
extrainfo->cache_info.is_extrainfo = 1;
if (cache_copy)
- extrainfo->cache_info.signed_descriptor_body = tor_strndup(s, end-s);
+ extrainfo->cache_info.signed_descriptor_body = tor_memdup_nulterm(s, end-s);
extrainfo->cache_info.signed_descriptor_len = end-s;
memcpy(extrainfo->cache_info.signed_descriptor_digest, digest, DIGEST_LEN);
@@ -3921,8 +3921,15 @@ tokenize_string(memarea_t *area,
tor_assert(area);
s = &start;
- if (!end)
+ if (!end) {
end = start+strlen(start);
+ } else {
+ /* it's only meaningful to check for nuls if we got an end-of-string ptr */
+ if (memchr(start, '\0', end-start)) {
+ log_warn(LD_DIR, "parse error: internal NUL character.");
+ return -1;
+ }
+ }
for (i = 0; i < NIL_; ++i)
counts[i] = 0;
@@ -4256,7 +4263,7 @@ microdescs_parse_from_string(const char *s, const char *eos,
md->bodylen = start_of_next_microdesc - cp;
if (copy_body)
- md->body = tor_strndup(cp, md->bodylen);
+ md->body = tor_memdup_nulterm(cp, md->bodylen);
else
md->body = (char*)cp;
md->off = cp - start;