3 files changed, 13 insertions, 1 deletions

diff --git a/src/common/util.c b/src/common/util.c
index 5065e97216..6ff45a1cea 100644
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -2052,7 +2052,7 @@ parse_addr_port(const char *addrport, char **address, uint32_t *addr,
   if (colon) {
     _address = tor_strndup(addrport, colon-addrport);
     _port = atoi(colon+1);
-    if (_port<1 || _port>65536) {
+    if (_port<1 || _port>65535) {
       log_fn(LOG_WARN, "Port '%s' out of range", colon+1);
       _port = 0;
       ok = 0;
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 06014df53a..f14b31557e 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -161,6 +161,10 @@ static rend_service_port_config_t *parse_port_config(const char *string)
       log_fn(LOG_WARN, "Unparseable of missing port in hidden service port configuration.");
       return NULL;
     }
+    if (realport < 1 || realport > 65535) {
+      log_fn(LOG_WARN, "Port out of range");
+      return NULL;
+    }
     addr = 0x7F000001u; /* Default to 127.0.0.1 */
   }
 
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 4ae2222456..b973909312 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -1053,6 +1053,10 @@ router_parse_exit_policy(directory_token_t *tok) {
     bits = (int) strtol(mask, &endptr, 10);
     if (!*endptr) {
       /* strtol handled the whole mask. */
+      if (bits < 0 || bits > 32) {
+        log_fn(LOG_WARN, "Bad number of mask bits on exit policy; rejecting.");
+        goto policy_read_failed;
+      }
       newe->msk = ~((1<<(32-bits))-1);
     } else if (tor_inet_aton(mask, &in) != 0) {
       newe->msk = ntohl(in.s_addr);
@@ -1083,6 +1087,10 @@ router_parse_exit_policy(directory_token_t *tok) {
     } else {
       newe->prt_max = newe->prt_min;
     }
+    if (newe->prt_min > newe->prt_max) {
+      log_fn(LOG_WARN,"Insane port range on exit policy; rejecting.");
+      goto policy_read_failed;
+    }
   }
 
   in.s_addr = htonl(newe->addr);