5 files changed, 89 insertions, 4 deletions

diff --git a/changes/bug23082 b/changes/bug23082
new file mode 100644
index 0000000000..fc4b52c364
--- /dev/null
+++ b/changes/bug23082
@@ -0,0 +1,4 @@
+  o Minor bugfixes (networking):
+    - Introduce additional checks into tor_addr_parse() to
+      reject certain incorrect inputs that previously were
+      not detected. Fixes bug 23082; bugfix on 0.2.0.10-alpha.
diff --git a/src/lib/net/address.c b/src/lib/net/address.c
index 03767e2950..c97a17037a 100644
--- a/src/lib/net/address.c
+++ b/src/lib/net/address.c
@@ -1187,14 +1187,22 @@ tor_addr_parse(tor_addr_t *addr, const char *src)
   int result;
   struct in_addr in_tmp;
   struct in6_addr in6_tmp;
+  int brackets_detected = 0;
+
   tor_assert(addr && src);
-  if (src[0] == '[' && src[1])
+
+  size_t len = strlen(src);
+
+  if (len && src[0] == '[' && src[len - 1] == ']') {
+    brackets_detected = 1;
     src = tmp = tor_strndup(src+1, strlen(src)-2);
+  }
 
   if (tor_inet_pton(AF_INET6, src, &in6_tmp) > 0) {
     result = AF_INET6;
     tor_addr_from_in6(addr, &in6_tmp);
-  } else if (tor_inet_pton(AF_INET, src, &in_tmp) > 0) {
+  } else if (!brackets_detected &&
+             tor_inet_pton(AF_INET, src, &in_tmp) > 0) {
     result = AF_INET;
     tor_addr_from_in(addr, &in_tmp);
   } else {
diff --git a/src/lib/net/inaddr.c b/src/lib/net/inaddr.c
index dcd8fcdd65..0960d323c5 100644
--- a/src/lib/net/inaddr.c
+++ b/src/lib/net/inaddr.c
@@ -168,6 +168,13 @@ tor_inet_pton(int af, const char *src, void *dst)
   if (af == AF_INET) {
     return tor_inet_aton(src, dst);
   } else if (af == AF_INET6) {
+    ssize_t len = strlen(src);
+
+    /* Reject if src has needless trailing ':'. */
+    if (len > 2 && src[len - 1] == ':' && src[len - 2] != ':') {
+      return 0;
+    }
+
     struct in6_addr *out = dst;
     uint16_t words[8];
     int gapPos = -1, i, setWords=0;
@@ -207,7 +214,6 @@ tor_inet_pton(int af, const char *src, void *dst)
         return 0;
       if (TOR_ISXDIGIT(*src)) {
         char *next;
-        ssize_t len;
         long r = strtol(src, &next, 16);
         if (next == NULL || next == src) {
           /* The 'next == src' error case can happen on versions of openbsd
diff --git a/src/test/test_addr.c b/src/test/test_addr.c
index a9004048a5..1d97db52a6 100644
--- a/src/test/test_addr.c
+++ b/src/test/test_addr.c
@@ -723,7 +723,7 @@ test_addr_ip6_helpers(void *arg)
   ;
 }
 
-/** Test tor_addr_port_parse(). */
+/** Test tor_addr_parse() and tor_addr_port_parse(). */
 static void
 test_addr_parse(void *arg)
 {
@@ -734,6 +734,60 @@ test_addr_parse(void *arg)
 
   /* Correct call. */
   (void)arg;
+  r= tor_addr_parse(&addr, "192.0.2.1");
+  tt_int_op(r,OP_EQ, AF_INET);
+  tor_addr_to_str(buf, &addr, sizeof(buf), 0);
+  tt_str_op(buf,OP_EQ, "192.0.2.1");
+
+  r= tor_addr_parse(&addr, "11:22::33:44");
+  tt_int_op(r,OP_EQ, AF_INET6);
+  tor_addr_to_str(buf, &addr, sizeof(buf), 0);
+  tt_str_op(buf,OP_EQ, "11:22::33:44");
+
+  r= tor_addr_parse(&addr, "[11:22::33:44]");
+  tt_int_op(r,OP_EQ, AF_INET6);
+  tor_addr_to_str(buf, &addr, sizeof(buf), 0);
+  tt_str_op(buf,OP_EQ, "11:22::33:44");
+
+  r= tor_addr_parse(&addr, "11:22:33:44:55:66:1.2.3.4");
+  tt_int_op(r,OP_EQ, AF_INET6);
+  tor_addr_to_str(buf, &addr, sizeof(buf), 0);
+  tt_str_op(buf,OP_EQ, "11:22:33:44:55:66:102:304");
+
+  r= tor_addr_parse(&addr, "11:22::33:44:1.2.3.4");
+  tt_int_op(r,OP_EQ, AF_INET6);
+  tor_addr_to_str(buf, &addr, sizeof(buf), 0);
+  tt_str_op(buf,OP_EQ, "11:22::33:44:102:304");
+
+  /* Empty string. */
+  r= tor_addr_parse(&addr, "");
+  tt_int_op(r,OP_EQ, -1);
+
+  /* Square brackets around IPv4 address. */
+  r= tor_addr_parse(&addr, "[192.0.2.1]");
+  tt_int_op(r,OP_EQ, -1);
+
+  /* Only left square bracket. */
+  r= tor_addr_parse(&addr, "[11:22::33:44");
+  tt_int_op(r,OP_EQ, -1);
+
+  /* Only right square bracket. */
+  r= tor_addr_parse(&addr, "11:22::33:44]");
+  tt_int_op(r,OP_EQ, -1);
+
+  /* Leading colon. */
+  r= tor_addr_parse(&addr, ":11:22::33:44");
+  tt_int_op(r,OP_EQ, -1);
+
+  /* Trailing colon. */
+  r= tor_addr_parse(&addr, "11:22::33:44:");
+  tt_int_op(r,OP_EQ, -1);
+
+  /* Too many hex words in IPv4-mapped IPv6 address. */
+  r= tor_addr_parse(&addr, "11:22:33:44:55:66:77:88:1.2.3.4");
+  tt_int_op(r,OP_EQ, -1);
+
+  /* Correct call. */
   r= tor_addr_port_parse(LOG_DEBUG,
                          "192.0.2.1:1234",
                          &addr, &port, -1);
diff --git a/src/test/test_util.c b/src/test/test_util.c
index 7bc1b7921a..1a71da2794 100644
--- a/src/test/test_util.c
+++ b/src/test/test_util.c
@@ -5808,6 +5808,18 @@ test_util_ipv4_validation(void *arg)
 }
 
 static void
+test_util_ipv6_validation(void *arg)
+{
+  (void)arg;
+
+  tt_assert(string_is_valid_ipv6_address("2a00:1450:401b:800::200e"));
+  tt_assert(!string_is_valid_ipv6_address("11:22::33:44:"));
+
+  done:
+  return;
+}
+
+static void
 test_util_writepid(void *arg)
 {
   (void) arg;
@@ -6498,6 +6510,7 @@ struct testcase_t util_tests[] = {
   UTIL_TEST(hostname_validation, 0),
   UTIL_TEST(dest_validation_edgecase, 0),
   UTIL_TEST(ipv4_validation, 0),
+  UTIL_TEST(ipv6_validation, 0),
   UTIL_TEST(writepid, 0),
   UTIL_TEST(get_avail_disk_space, 0),
   UTIL_TEST(touch_file, 0),