From edc561432a10ad053ea0b40db44dfc904b71f79f Mon Sep 17 00:00:00 2001
From: Anders Sundman <anders@4zm.org>
Date: Fri, 18 Nov 2011 23:37:54 +0100
Subject: Minor tor_inet_pton bug fixes

In particular:
* Disallow "0x10::"
* Don't blow up on ":"
* Disallow "::10000"
---
 src/common/compat.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

(limited to 'src/common')

diff --git a/src/common/compat.c b/src/common/compat.c
index ba49af757c..20c45af00b 100644
--- a/src/common/compat.c
+++ b/src/common/compat.c
@@ -1733,24 +1733,30 @@ tor_inet_pton(int af, const char *src, void *dst)
         return 0;
       if (TOR_ISXDIGIT(*src)) {
         char *next;
+        int len;
         long r = strtol(src, &next, 16);
-        if (next > 4+src)
-          return 0;
-        if (next == src)
-          return 0;
-        if (r<0 || r>65536)
+        tor_assert(next != NULL);
+        tor_assert(next != src);
+
+        len = *next == '\0' ? eow - src : next - src;
+        if (len > 4)
           return 0;
+        if (len > 1 && !TOR_ISXDIGIT(src[1]))
+          return 0; /* 0x is not valid */
 
+        tor_assert(r >= 0);
+        tor_assert(r < 65536);
         words[i++] = (uint16_t)r;
         setWords++;
         src = next;
         if (*src != ':' && src != eow)
           return 0;
         ++src;
-      } else if (*src == ':' && i > 0 && gapPos==-1) {
+      } else if (*src == ':' && i > 0 && gapPos == -1) {
         gapPos = i;
         ++src;
-      } else if (*src == ':' && i == 0 && src[1] == ':' && gapPos==-1) {
+      } else if (*src == ':' && i == 0 && src+1 < eow && src[1] == ':' &&
+                 gapPos == -1) {
         gapPos = i;
         src += 2;
       } else {
-- 
cgit v1.2.3-54-g00ecf