diff options
author | Nick Mathewson <nickm@torproject.org> | 2011-01-15 13:25:13 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2011-01-15 13:25:13 -0500 |
commit | 1393985768d760e11e45faabb537d28248306e8b (patch) | |
tree | 61b35b3b734f8a920a08cc9a9ecb70e408cd4a58 /src | |
parent | 9d133464c874191414dd51f546d09364419040cf (diff) | |
parent | b97b0efec81c5564999c2545dd7f0ca230b239cc (diff) | |
download | tor-1393985768d760e11e45faabb537d28248306e8b.tar.gz tor-1393985768d760e11e45faabb537d28248306e8b.zip |
Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2
Conflicts:
src/or/routerparse.c
src/or/test.c
Diffstat (limited to 'src')
-rw-r--r-- | src/common/crypto.c | 14 | ||||
-rw-r--r-- | src/common/crypto.h | 2 | ||||
-rw-r--r-- | src/or/routerparse.c | 16 | ||||
-rw-r--r-- | src/test/test_dir.c | 6 |
4 files changed, 24 insertions, 14 deletions
diff --git a/src/common/crypto.c b/src/common/crypto.c index 15b58188ed..1d12a9d32d 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -518,21 +518,23 @@ crypto_pk_generate_key_with_bits(crypto_pk_env_t *env, int bits) return 0; } -/** Read a PEM-encoded private key from the string <b>s</b> into <b>env</b>. - * Return 0 on success, -1 on failure. +/** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b> + * into <b>env</b>. Return 0 on success, -1 on failure. If len is -1, + * the string is nul-terminated. */ /* Used here, and used for testing. */ int crypto_pk_read_private_key_from_string(crypto_pk_env_t *env, - const char *s) + const char *s, ssize_t len) { BIO *b; tor_assert(env); tor_assert(s); + tor_assert(len < INT_MAX && len < SIZE_T_CEILING); - /* Create a read-only memory BIO, backed by the NUL-terminated string 's' */ - b = BIO_new_mem_buf((char*)s, -1); + /* Create a read-only memory BIO, backed by the string 's' */ + b = BIO_new_mem_buf((char*)s, (int)len); if (env->key) RSA_free(env->key); @@ -566,7 +568,7 @@ crypto_pk_read_private_key_from_filename(crypto_pk_env_t *env, } /* Try to parse it. */ - r = crypto_pk_read_private_key_from_string(env, contents); + r = crypto_pk_read_private_key_from_string(env, contents, -1); tor_free(contents); if (r) return -1; /* read_private_key_from_string already warned, so we don't.*/ diff --git a/src/common/crypto.h b/src/common/crypto.h index 29ba36cdf6..c306bec276 100644 --- a/src/common/crypto.h +++ b/src/common/crypto.h @@ -112,7 +112,7 @@ int crypto_pk_write_private_key_to_string(crypto_pk_env_t *env, int crypto_pk_read_public_key_from_string(crypto_pk_env_t *env, const char *src, size_t len); int crypto_pk_read_private_key_from_string(crypto_pk_env_t *env, - const char *s); + const char *s, ssize_t len); int crypto_pk_write_private_key_to_filename(crypto_pk_env_t *env, const char *fname); diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 66d024ecd4..a6eef2df6c 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -3227,7 +3227,7 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out, } sig->good_signature = 1; } else { - if (tok->object_size >= INT_MAX) { + if (tok->object_size >= INT_MAX || tok->object_size >= SIZE_T_CEILING) { tor_free(sig); goto err; } @@ -3496,7 +3496,7 @@ networkstatus_parse_detached_signatures(const char *s, const char *eos) sig->alg = alg; memcpy(sig->identity_digest, id_digest, DIGEST_LEN); memcpy(sig->signing_key_digest, sk_digest, DIGEST_LEN); - if (tok->object_size >= INT_MAX) { + if (tok->object_size >= INT_MAX || tok->object_size >= SIZE_T_CEILING) { tor_free(sig); goto err; } @@ -3814,6 +3814,10 @@ static directory_token_t * get_next_token(memarea_t *area, const char **s, const char *eos, token_rule_t *table) { + /** Reject any object at least this big; it is probably an overflow, an + * attack, a bug, or some other nonsense. */ +#define MAX_UNPARSED_OBJECT_SIZE (128*1024) + const char *next, *eol, *obstart; size_t obname_len; int i; @@ -3898,7 +3902,8 @@ get_next_token(memarea_t *area, obstart = *s; /* Set obstart to start of object spec */ if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */ - strcmp_len(eol-5, "-----", 5)) { /* nuls or invalid endings */ + strcmp_len(eol-5, "-----", 5) || /* nuls or invalid endings */ + (eol-*s) > MAX_UNPARSED_OBJECT_SIZE) { /* name too long */ RET_ERR("Malformed object: bad begin line"); } tok->object_type = STRNDUP(*s+11, eol-*s-16); @@ -3923,13 +3928,16 @@ get_next_token(memarea_t *area, ebuf[sizeof(ebuf)-1] = '\0'; RET_ERR(ebuf); } + if (next - *s > MAX_UNPARSED_OBJECT_SIZE) + RET_ERR("Couldn't parse object: missing footer or object much too big."); + if (!strcmp(tok->object_type, "RSA PUBLIC KEY")) { /* If it's a public key */ tok->key = crypto_new_pk_env(); if (crypto_pk_read_public_key_from_string(tok->key, obstart, eol-obstart)) RET_ERR("Couldn't parse public key."); } else if (!strcmp(tok->object_type, "RSA PRIVATE KEY")) { /* private key */ tok->key = crypto_new_pk_env(); - if (crypto_pk_read_private_key_from_string(tok->key, obstart)) + if (crypto_pk_read_private_key_from_string(tok->key, obstart, eol-obstart)) RET_ERR("Couldn't parse private key."); } else { /* If it's something else, try to base64-decode it */ int r; diff --git a/src/test/test_dir.c b/src/test/test_dir.c index c7c5a0b72b..e61815027c 100644 --- a/src/test/test_dir.c +++ b/src/test/test_dir.c @@ -745,11 +745,11 @@ test_dir_v3_networkstatus(void) sign_skey_leg1 = pk_generate(4); test_assert(!crypto_pk_read_private_key_from_string(sign_skey_1, - AUTHORITY_SIGNKEY_1)); + AUTHORITY_SIGNKEY_1, -1)); test_assert(!crypto_pk_read_private_key_from_string(sign_skey_2, - AUTHORITY_SIGNKEY_2)); + AUTHORITY_SIGNKEY_2, -1)); test_assert(!crypto_pk_read_private_key_from_string(sign_skey_3, - AUTHORITY_SIGNKEY_3)); + AUTHORITY_SIGNKEY_3, -1)); test_assert(!crypto_pk_cmp_keys(sign_skey_1, cert1->signing_key)); test_assert(!crypto_pk_cmp_keys(sign_skey_2, cert2->signing_key)); |