|
@@ -2549,7 +2549,7 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out,
|
|
|
goto err;
|
|
|
v->good_signature = 1;
|
|
|
} else {
|
|
|
- if (tok->object_size >= INT_MAX)
|
|
|
+ if (tok->object_size >= INT_MAX || tok->object_size >= SIZE_T_CEILING)
|
|
|
goto err;
|
|
|
/* We already parsed a vote from this voter. Use the first one. */
|
|
|
if (v->signature) {
|
|
@@ -2700,7 +2700,7 @@ networkstatus_parse_detached_signatures(const char *s, const char *eos)
|
|
|
voter = tor_malloc_zero(sizeof(networkstatus_voter_info_t));
|
|
|
memcpy(voter->identity_digest, id_digest, DIGEST_LEN);
|
|
|
memcpy(voter->signing_key_digest, sk_digest, DIGEST_LEN);
|
|
|
- if (tok->object_size >= INT_MAX)
|
|
|
+ if (tok->object_size >= INT_MAX || tok->object_size >= SIZE_T_CEILING)
|
|
|
goto err;
|
|
|
voter->signature = tor_memdup(tok->object_body, tok->object_size);
|
|
|
voter->signature_len = (int) tok->object_size;
|
|
@@ -3017,6 +3017,10 @@ static directory_token_t *
|
|
|
get_next_token(memarea_t *area,
|
|
|
const char **s, const char *eos, token_rule_t *table)
|
|
|
{
|
|
|
+ /** Reject any object at least this big; it is probably an overflow, an
|
|
|
+ * attack, a bug, or some other nonsense. */
|
|
|
+#define MAX_UNPARSED_OBJECT_SIZE (128*1024)
|
|
|
+
|
|
|
const char *next, *eol, *obstart;
|
|
|
size_t obname_len;
|
|
|
int i;
|
|
@@ -3126,6 +3130,9 @@ get_next_token(memarea_t *area,
|
|
|
ebuf[sizeof(ebuf)-1] = '\0';
|
|
|
RET_ERR(ebuf);
|
|
|
}
|
|
|
+ if (next - *s > MAX_UNPARSED_OBJECT_SIZE)
|
|
|
+ RET_ERR("Couldn't parse object: missing footer or object much too big.");
|
|
|
+
|
|
|
if (!strcmp(tok->object_type, "RSA PUBLIC KEY")) { /* If it's a public key */
|
|
|
tok->key = crypto_new_pk_env();
|
|
|
if (crypto_pk_read_public_key_from_string(tok->key, obstart, eol-obstart))
|