Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Fix a few crash bugs related to malormed descriptors. Lark found one; fuzzing found the rest.

svn:r19250
Nick Mathewson 16 years ago
parent
37e8a28c7c
commit
d50501e5ed
2 changed files with 11 additions and 8 deletions
Split View Show Diff Stats
  1. 4 0
      ChangeLog
  2. 7 8
      src/or/routerparse.c

+ 4 - 0
ChangeLog
View File 

@@ -1,4 +1,8 @@
 
 Changes in version 0.2.1.14-??? - 2009-04-??
 
+  o Security fixes:
 
+    - Avoid crashing in the presence of certain malformed descriptors.
 
+      Found by lark, and by automated fuzzing.
 
+
 
   o Minor bugfixes:
 
     - Avoid trying to print raw memory to the logs when we decide to
 
       give up on downloading a given relay descriptor. Bugfix on

+ 7 - 8
src/or/routerparse.c
View File 

@@ -411,7 +411,7 @@ static token_rule_t networkstatus_consensus_token_table[] = {
 
 
   T0N("opt",                 K_OPT,             CONCAT_ARGS, OBJ_OK ),
 
 
-  T1N("dir-source",          K_DIR_SOURCE,          GE(3),   NO_OBJ ),
 
+  T1N("dir-source",          K_DIR_SOURCE,          GE(6),   NO_OBJ ),
 
   T1N("contact",             K_CONTACT,         CONCAT_ARGS, NO_OBJ ),
 
   T1N("vote-digest",         K_VOTE_DIGEST,         GE(1),   NO_OBJ ),
 
 
@@ -1933,7 +1933,7 @@ routerstatus_parse_entry_from_string(memarea_t *area,
 
     tor_assert(tok->n_args == 1);
 
     if (strcmpstart(tok->args[0], "accept ") &&
 
         strcmpstart(tok->args[0], "reject ")) {
 
-      log_err(LD_DIR, "Unknown exit policy summary type %s.",
 
+      log_warn(LD_DIR, "Unknown exit policy summary type %s.",
 
                escaped(tok->args[0]));
 
       goto err;
 
     }
 
@@ -2311,8 +2311,7 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out,
 
 
   ns->voters = smartlist_create();
 
 
-  SMARTLIST_FOREACH(tokens, directory_token_t *, _tok,
 
-  {
 
+  SMARTLIST_FOREACH_BEGIN(tokens, directory_token_t *, _tok) {
 
     tok = _tok;
 
     if (tok->tp == K_DIR_SOURCE) {
 
       tor_assert(tok->n_args >= 6);
 
@@ -2369,11 +2368,11 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out,
 
         base16_decode(voter->vote_digest, sizeof(voter->vote_digest),
 
                       tok->args[0], HEX_DIGEST_LEN) < 0) {
 
         log_warn(LD_DIR, "Error decoding vote digest %s in "
 
-                 "network-status consensus.", escaped(tok->args[1]));
 
+                 "network-status consensus.", escaped(tok->args[0]));
 
         goto err;
 
       }
 
     }
 
-  });
 
+  } SMARTLIST_FOREACH_END(_tok);
 
   if (voter) {
 
     smartlist_add(ns->voters, voter);
 
     voter = NULL;
 
@@ -2903,6 +2902,7 @@ token_check_object(memarea_t *area, const char *kwd,
 
     case NEED_KEY: /* There must be some kind of key. */
 
       if (!tok->key) {
 
         tor_snprintf(ebuf, sizeof(ebuf), "Missing public key for %s", kwd);
 
+        RET_ERR(ebuf);
 
       }
 
       if (o_syn != NEED_SKEY_1024) {
 
         if (crypto_pk_key_is_private(tok->key)) {
 
@@ -3049,8 +3049,7 @@ get_next_token(memarea_t *area,
 
     goto check_object;
 
 
   obstart = *s; /* Set obstart to start of object spec */
 
-  tor_assert(eol >= (*s+16));
 
-  if (*s+11 >= eol-5 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
 
+  if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
 
       strcmp_len(eol-5, "-----", 5)) {          /* nuls or invalid endings */
 
     RET_ERR("Malformed object: bad begin line");
 
   }