diff options
author | Nick Mathewson <nickm@torproject.org> | 2018-10-25 09:14:06 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2018-10-25 09:14:06 -0400 |
commit | 8013e3e8b6af4170f622765a0fb1a219131028bd (patch) | |
tree | 6ecc0b00309faaffc19577114a0db6fbcc07e91b | |
parent | b2c52f5d6d52a70e11bb4f60036dd6772b55661a (diff) | |
parent | 0878bb961f9028a81ce465702afb891a82015228 (diff) | |
download | tor-8013e3e8b6af4170f622765a0fb1a219131028bd.tar.gz tor-8013e3e8b6af4170f622765a0fb1a219131028bd.zip |
Merge branch 'bug28202_029' into bug28202_033
-rw-r--r-- | changes/bug28202 | 4 | ||||
-rw-r--r-- | src/or/parsecommon.c | 3 | ||||
-rw-r--r-- | src/or/routerparse.c | 7 |
3 files changed, 8 insertions, 6 deletions
diff --git a/changes/bug28202 b/changes/bug28202 new file mode 100644 index 0000000000..182daac4f1 --- /dev/null +++ b/changes/bug28202 @@ -0,0 +1,4 @@ + o Minor bugfixes (C correctness): + - Avoid undefined behavior in an end-of-string check when parsing the + BEGIN line in a directory object. Fixes bug 28202; bugfix on + 0.2.0.3-alpha. diff --git a/src/or/parsecommon.c b/src/or/parsecommon.c index 6c3dd3100e..e7d01a5029 100644 --- a/src/or/parsecommon.c +++ b/src/or/parsecommon.c @@ -345,7 +345,7 @@ get_next_token(memarea_t *area, goto check_object; obstart = *s; /* Set obstart to start of object spec */ - if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */ + if (eol - *s <= 16 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */ strcmp_len(eol-5, "-----", 5) || /* nuls or invalid endings */ (eol-*s) > MAX_UNPARSED_OBJECT_SIZE) { /* name too long */ RET_ERR("Malformed object: bad begin line"); @@ -448,4 +448,3 @@ find_all_by_keyword(const smartlist_t *s, directory_keyword k) }); return out; } - diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 79499f2e6f..6f82859e61 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4659,13 +4659,13 @@ find_start_of_next_microdesc(const char *s, const char *eos) return NULL; #define CHECK_LENGTH() STMT_BEGIN \ - if (s+32 > eos) \ + if (eos - s < 32) \ return NULL; \ STMT_END #define NEXT_LINE() STMT_BEGIN \ s = memchr(s, '\n', eos-s); \ - if (!s || s+1 >= eos) \ + if (!s || eos - s <= 1) \ return NULL; \ s++; \ STMT_END @@ -4689,7 +4689,7 @@ find_start_of_next_microdesc(const char *s, const char *eos) /* Okay, now we're pointed at the first line of the microdescriptor which is not an annotation or onion-key. The next line that _is_ an annotation or onion-key is the start of the next microdescriptor. */ - while (s+32 < eos) { + while (eos - s > 32) { if (*s == '@' || !strcmpstart(s, "onion-key")) return s; NEXT_LINE(); @@ -5724,4 +5724,3 @@ routerparse_free_all(void) { dump_desc_fifo_cleanup(); } - |