diff options
| author | Nick Mathewson <nickm@torproject.org> | 2011-01-15 13:15:06 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2011-01-15 13:15:06 -0500 |
| commit | b97b0efec81c5564999c2545dd7f0ca230b239cc (patch) | |
| tree | 7bd479c07bf52595f58713e6c5844a0f8f1520d7 /src/or | |
| parent | 31b562e10abe51cf9d520e0a3ad2ffc3277d52a4 (diff) | |
| parent | 1f3b4420233e83ef160ac41398827994ec7ae152 (diff) | |
| download | tor-b97b0efec81c5564999c2545dd7f0ca230b239cc.tar.gz tor-b97b0efec81c5564999c2545dd7f0ca230b239cc.zip | |
Merge branch 'bug2352_obsize' into maint-0.2.1
Diffstat (limited to 'src/or')
| -rw-r--r-- | src/or/routerparse.c | 16 | ||||
| -rw-r--r-- | src/or/test.c | 6 |
2 files changed, 15 insertions, 7 deletions
diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 9ad84ed8db..3778509051 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -2553,7 +2553,7 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out, goto err; v->good_signature = 1; } else { - if (tok->object_size >= INT_MAX) + if (tok->object_size >= INT_MAX || tok->object_size >= SIZE_T_CEILING) goto err; /* We already parsed a vote from this voter. Use the first one. */ if (v->signature) { @@ -2704,7 +2704,7 @@ networkstatus_parse_detached_signatures(const char *s, const char *eos) voter = tor_malloc_zero(sizeof(networkstatus_voter_info_t)); memcpy(voter->identity_digest, id_digest, DIGEST_LEN); memcpy(voter->signing_key_digest, sk_digest, DIGEST_LEN); - if (tok->object_size >= INT_MAX) + if (tok->object_size >= INT_MAX || tok->object_size >= SIZE_T_CEILING) goto err; voter->signature = tor_memdup(tok->object_body, tok->object_size); voter->signature_len = (int) tok->object_size; @@ -3021,6 +3021,10 @@ static directory_token_t * get_next_token(memarea_t *area, const char **s, const char *eos, token_rule_t *table) { + /** Reject any object at least this big; it is probably an overflow, an + * attack, a bug, or some other nonsense. */ +#define MAX_UNPARSED_OBJECT_SIZE (128*1024) + const char *next, *eol, *obstart; size_t obname_len; int i; @@ -3105,7 +3109,8 @@ get_next_token(memarea_t *area, obstart = *s; /* Set obstart to start of object spec */ if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */ - strcmp_len(eol-5, "-----", 5)) { /* nuls or invalid endings */ + strcmp_len(eol-5, "-----", 5) || /* nuls or invalid endings */ + (eol-*s) > MAX_UNPARSED_OBJECT_SIZE) { /* name too long */ RET_ERR("Malformed object: bad begin line"); } tok->object_type = STRNDUP(*s+11, eol-*s-16); @@ -3130,13 +3135,16 @@ get_next_token(memarea_t *area, ebuf[sizeof(ebuf)-1] = '\0'; RET_ERR(ebuf); } + if (next - *s > MAX_UNPARSED_OBJECT_SIZE) + RET_ERR("Couldn't parse object: missing footer or object much too big."); + if (!strcmp(tok->object_type, "RSA PUBLIC KEY")) { /* If it's a public key */ tok->key = crypto_new_pk_env(); if (crypto_pk_read_public_key_from_string(tok->key, obstart, eol-obstart)) RET_ERR("Couldn't parse public key."); } else if (!strcmp(tok->object_type, "RSA PRIVATE KEY")) { /* private key */ tok->key = crypto_new_pk_env(); - if (crypto_pk_read_private_key_from_string(tok->key, obstart)) + if (crypto_pk_read_private_key_from_string(tok->key, obstart, eol-obstart)) RET_ERR("Couldn't parse private key."); } else { /* If it's something else, try to base64-decode it */ int r; diff --git a/src/or/test.c b/src/or/test.c index 103866b45a..904ca69db1 100644 --- a/src/or/test.c +++ b/src/or/test.c @@ -3368,11 +3368,11 @@ test_v3_networkstatus(void) sign_skey_leg1 = pk_generate(4); test_assert(!crypto_pk_read_private_key_from_string(sign_skey_1, - AUTHORITY_SIGNKEY_1)); + AUTHORITY_SIGNKEY_1,-1)); test_assert(!crypto_pk_read_private_key_from_string(sign_skey_2, - AUTHORITY_SIGNKEY_2)); + AUTHORITY_SIGNKEY_2,-1)); test_assert(!crypto_pk_read_private_key_from_string(sign_skey_3, - AUTHORITY_SIGNKEY_3)); + AUTHORITY_SIGNKEY_3,-1)); test_assert(!crypto_pk_cmp_keys(sign_skey_1, cert1->signing_key)); test_assert(!crypto_pk_cmp_keys(sign_skey_2, cert2->signing_key)); |