tor-commits March 2018

tor-commits@lists.torproject.org

15 participants
1430 discussions

[tor/maint-0.2.9] Add another NULL-pointer fix for protover.c.
by nickm＠torproject.org 03 Mar '18

03 Mar '18

commit a83650852d3cd00c9916cae74d755ae55a6b506d Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Feb 14 10:45:57 2018 -0500 Add another NULL-pointer fix for protover.c. This one can only be exploited if you can generate a correctly signed consensus, so it's not as bad as 25074. Fixes bug 25251; also tracked as TROVE-2018-004. --- changes/trove-2018-004 | 8 ++++++++ src/or/protover.c | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/… [View More]

1 0

[tor/maint-0.2.9] Correctly handle NULL returns from parse_protocol_list when voting.
by nickm＠torproject.org 03 Mar '18

03 Mar '18

commit 65f2eec694f18a64291cc85317b9f22dacc1d8e4 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Feb 1 16:33:52 2018 -0500 Correctly handle NULL returns from parse_protocol_list when voting. In some cases we had checked for it, but in others we had not. One of these cases could have been used to remotely cause denial-of-service against directory authorities while they attempted to vote. Fixes TROVE-2018-001. --- changes/trove-2018-001.1 | 6 +… [View More]

1 0

[tor/maint-0.2.9] Add some protover vote round-trip tests from Teor.
by nickm＠torproject.org 03 Mar '18

03 Mar '18

commit d3a1bdbf56c7e41b54fdd1d3169287ca761698a6 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Feb 14 11:47:05 2018 -0500 Add some protover vote round-trip tests from Teor. I've refactored these to be a separate function, to avoid tricky merge conflicts. Some of these are disabled with "XXXX" comments; they should get fixed moving forward. --- src/test/test_protover.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 … [View More]insertions(+) diff --git a/src/test/test_protover.c b/src/test/test_protover.c index f00955d1b..5e65c019e 100644 --- a/src/test/test_protover.c +++ b/src/test/test_protover.c @@ -182,6 +182,81 @@ test_protover_all_supported(void *arg) tor_free(msg); } +static void +test_protover_vote_roundtrip(void *args) +{ + (void) args; + static const struct { + const char *input; + const char *expected_output; + } examples[] = { + { "Fkrkljdsf", NULL }, + { "Zn=4294967295", NULL }, + { "Zn=4294967295-1", NULL }, + { "Zn=4294967293-4294967295", NULL }, + /* Will fail because of 4294967295. */ + { "Foo=1,3 Bar=3 Baz= Quux=9-12,14,15-16,900 Zn=0,4294967295", + NULL }, + { "Foo=1,3 Bar=3 Baz= Quux=9-12,14,15-16,900 Zn=0,4294967294", + "Bar=3 Foo=1,3 Quux=9-12,14-16,900 Zn=0,4294967294" }, + { "Zu16=0,65536", "Zu16=0,65536" }, + { "N-1=1,2", "N-1=1-2" }, + { "-1=4294967295", NULL }, + { "-1=3", "-1=3" }, + /* junk. */ + { "!!3@*", NULL }, + /* Missing equals sign */ + { "Link=4 Haprauxymatyve Desc=9", NULL }, + { "Link=4 Haprauxymatyve=7 Desc=9", + "Desc=9 Haprauxymatyve=7 Link=4" }, + { "=10-11", NULL }, + { "X=10-11", "X=10-11" }, + { "Link=4 =3 Desc=9", NULL }, + { "Link=4 Z=3 Desc=9", "Desc=9 Link=4 Z=3" }, + { "Link=fred", NULL }, + { "Link=1,fred", NULL }, + { "Link=1,fred,3", NULL }, + { "Link=1,9-8,3", NULL }, + // "These fail at the splitting stage in Rust, but the number parsing + // stage in C." + { "Faux=-1", NULL }, + { "Faux=-1-3", NULL }, + { "Faux=1--1", NULL }, + /* Large integers */ + { "Link=4294967296", NULL }, + /* Large range */ + { "Sleen=1-501", "Sleen=1-501" }, + { "Sleen=1-65537", NULL }, + /* CPU/RAM DoS Loop: Rust only. */ + { "Sleen=0-2147483648", NULL }, + /* Rust seems to experience an internal error here. */ + { "Sleen=0-4294967295", NULL }, + }; + unsigned u; + smartlist_t *votes = smartlist_new(); + char *result = NULL; + + for (u = 0; u < ARRAY_LENGTH(examples); ++u) { + const char *input = examples[u].input; + const char *expected_output = examples[u].expected_output; + + smartlist_add(votes, (void*)input); + result = protover_compute_vote(votes, 1); + if (expected_output != NULL) { + tt_str_op(result, OP_EQ, expected_output); + } else { + tt_str_op(result, OP_EQ, ""); + } + + smartlist_clear(votes); + tor_free(result); + } + + done: + smartlist_free(votes); + tor_free(result); +} + #define PV_TEST(name, flags) \ { #name, test_protover_ ##name, (flags), NULL, NULL } @@ -190,6 +265,7 @@ struct testcase_t protover_tests[] = { PV_TEST(parse_fail, 0), PV_TEST(vote, 0), PV_TEST(all_supported, 0), + PV_TEST(vote_roundtrip, 0), END_OF_TESTCASES }; [View Less]

1 0

[tor/maint-0.2.9] Forbid "-0" as a protocol version.
by nickm＠torproject.org 03 Mar '18

03 Mar '18

commit 8b405c609e82fbfb5470967fc4c45165c708e72b Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Feb 15 08:46:13 2018 -0500 Forbid "-0" as a protocol version. Fixes part of 24249; bugfix on 0.2.9.4-alpha. --- changes/bug25249 | 3 +++ src/or/protover.c | 9 +++++++++ src/test/test_protover.c | 6 ++++-- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/changes/bug25249 b/changes/bug25249 new file mode 100644 index 000000000..b4153eeae … [View More]--- /dev/null +++ b/changes/bug25249 @@ -0,0 +1,3 @@ + o Minor bugfixes (spec conformance): + - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on + 0.2.9.4-alpha. diff --git a/src/or/protover.c b/src/or/protover.c index e63036f78..f32316f8e 100644 --- a/src/or/protover.c +++ b/src/or/protover.c @@ -123,6 +123,11 @@ parse_version_range(const char *s, const char *end_of_range, if (BUG(!end_of_range)) end_of_range = s + strlen(s); // LCOV_EXCL_LINE + /* A range must start with a digit. */ + if (!TOR_ISDIGIT(*s)) { + goto error; + } + /* Note that this wouldn't be safe if we didn't know that eventually, * we'd hit a NUL */ low = (uint32_t) tor_parse_ulong(s, 10, 0, UINT32_MAX, &ok, &next); @@ -138,7 +143,11 @@ parse_version_range(const char *s, const char *end_of_range, if (*next != '-') goto error; s = next+1; + /* ibid */ + if (!TOR_ISDIGIT(*s)) { + goto error; + } high = (uint32_t) tor_parse_ulong(s, 10, 0, UINT32_MAX, &ok, &next); if (!ok) goto error; diff --git a/src/test/test_protover.c b/src/test/test_protover.c index 609003a83..4c41b6db6 100644 --- a/src/test/test_protover.c +++ b/src/test/test_protover.c @@ -151,11 +151,11 @@ test_protover_vote(void *arg) tt_str_op(result, OP_EQ, ""); tor_free(result); - /* This fails in Rust, but not in C */ + /* This fails, since "-0" is not valid. */ smartlist_clear(lst); smartlist_add(lst, (void*) "Faux=-0"); result = protover_compute_vote(lst, 1); - tt_str_op(result, OP_EQ, "Faux=0"); + tt_str_op(result, OP_EQ, ""); tor_free(result); /* Vote large protover lists that are just below the threshold */ @@ -301,6 +301,8 @@ test_protover_vote_roundtrip(void *args) { "Link=1,fred", NULL }, { "Link=1,fred,3", NULL }, { "Link=1,9-8,3", NULL }, + { "Faux=-0", NULL }, + { "Faux=0--0", NULL }, // "These fail at the splitting stage in Rust, but the number parsing // stage in C." { "Faux=-1", NULL }, [View Less]

1 0

[tor/maint-0.2.9] Forbid UINT32_MAX as a protocol version
by nickm＠torproject.org 03 Mar '18

03 Mar '18

commit 1fe0bae508120bbf4954de6b590dd0c722a883bc Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Feb 15 09:05:55 2018 -0500 Forbid UINT32_MAX as a protocol version The C code and the rust code had different separate integer overflow bugs here. That suggests that we're better off just forbidding this pathological case. Also, add tests for expected behavior on receiving a bad protocol list in a consensus. Fixes another part of 25249. --… [View More]- changes/bug25249.2 | 3 +++ src/or/protover.c | 8 ++++++-- src/test/test_protover.c | 21 ++++++++++++++++++--- 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/changes/bug25249.2 b/changes/bug25249.2 new file mode 100644 index 000000000..9058c1107 --- /dev/null +++ b/changes/bug25249.2 @@ -0,0 +1,3 @@ + o Minor bugfixes (spec conformance): + - Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249; + bugfix on 0.2.9.4-alpha. diff --git a/src/or/protover.c b/src/or/protover.c index f32316f8e..a035b5c83 100644 --- a/src/or/protover.c +++ b/src/or/protover.c @@ -103,6 +103,9 @@ proto_entry_free(proto_entry_t *entry) tor_free(entry); } +/** The largest possible protocol version. */ +#define MAX_PROTOCOL_VERSION (UINT32_MAX-1) + /** * Given a string <b>s</b> and optional end-of-string pointer * <b>end_of_range</b>, parse the protocol range and store it in @@ -130,7 +133,7 @@ parse_version_range(const char *s, const char *end_of_range, /* Note that this wouldn't be safe if we didn't know that eventually, * we'd hit a NUL */ - low = (uint32_t) tor_parse_ulong(s, 10, 0, UINT32_MAX, &ok, &next); + low = (uint32_t) tor_parse_ulong(s, 10, 0, MAX_PROTOCOL_VERSION, &ok, &next); if (!ok) goto error; if (next > end_of_range) @@ -148,7 +151,8 @@ parse_version_range(const char *s, const char *end_of_range, if (!TOR_ISDIGIT(*s)) { goto error; } - high = (uint32_t) tor_parse_ulong(s, 10, 0, UINT32_MAX, &ok, &next); + high = (uint32_t) tor_parse_ulong(s, 10, 0, + MAX_PROTOCOL_VERSION, &ok, &next); if (!ok) goto error; if (next != end_of_range) diff --git a/src/test/test_protover.c b/src/test/test_protover.c index 4c41b6db6..8d061c69c 100644 --- a/src/test/test_protover.c +++ b/src/test/test_protover.c @@ -257,12 +257,27 @@ test_protover_all_supported(void *arg) tt_str_op(msg, OP_EQ, "Sleen=0-2147483648"); tor_free(msg); - /* Rust seems to experience an internal error here */ - tt_assert(! protover_all_supported("Sleen=0-4294967295", &msg)); - tt_str_op(msg, OP_EQ, "Sleen=0-4294967295"); + /* This case is allowed. */ + tt_assert(! protover_all_supported("Sleen=0-4294967294", &msg)); + tt_str_op(msg, OP_EQ, "Sleen=0-4294967294"); tor_free(msg); + /* If we get an unparseable list, we say "yes, that's supported." */ + tor_capture_bugs_(1); + tt_assert(protover_all_supported("Fribble", &msg)); + tt_ptr_op(msg, OP_EQ, NULL); + tor_end_capture_bugs_(); + + /* This case is forbidden. Since it came from a protover_all_supported, + * it can trigger a bug message. */ + tor_capture_bugs_(1); + tt_assert(protover_all_supported("Sleen=0-4294967295", &msg)); + tt_ptr_op(msg, OP_EQ, NULL); + tor_free(msg); + tor_end_capture_bugs_(); + done: + tor_end_capture_bugs_(); tor_free(msg); } [View Less]

1 0

[tor/maint-0.2.9] Spec conformance on protover: always reject ranges where lo>hi
by nickm＠torproject.org 03 Mar '18

03 Mar '18

commit c5295cc1beb1c13743e11d3a7134e9e75b6da470 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Feb 15 10:49:47 2018 -0500 Spec conformance on protover: always reject ranges where lo>hi --- src/or/protover.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/or/protover.c b/src/or/protover.c index a035b5c83..0c79037f6 100644 --- a/src/or/protover.c +++ b/src/or/protover.c @@ -158,6 +158,9 @@ parse_version_range(const char *s, const char *… [View More]

1 0

[torspec/master] specify when OwningControllerFD option went in
by arma＠torproject.org 03 Mar '18

03 Mar '18

commit d4a64fbf5aaba383638d9f3c70bd2951f8c5ad89 Author: Roger Dingledine <arma(a)torproject.org> Date: Sat Mar 3 01:56:49 2018 -0500 specify when OwningControllerFD option went in --- control-spec.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/control-spec.txt b/control-spec.txt index c1110bc..03d153d 100644 --- a/control-spec.txt +++ b/control-spec.txt @@ -3299,7 +3299,7 @@ __OwningControllerFD If this option is a valid socket, Tor will start … [View More]

1 0

[torspec/master] remove caesura in proposal name
by arma＠torproject.org 03 Mar '18

03 Mar '18

commit 79e61857d55331571c9b7d6540145940955ee16b Author: Roger Dingledine <arma(a)torproject.org> Date: Sat Mar 3 01:49:53 2018 -0500 remove caesura in proposal name we can be poetic in other epochs --- proposals/250-commit-reveal-consensus.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/250-commit-reveal-consensus.txt b/proposals/250-commit-reveal-consensus.txt index 1190fd6..c9711aa 100644 --- a/proposals/250-commit-reveal-consensus.txt … [View More]

1 0

[torspec/master] fix typos in proposal 290
by arma＠torproject.org 03 Mar '18

03 Mar '18

commit ba05c9a935a96a4d8e94be1f3db768808b738b1c Author: Roger Dingledine <arma(a)torproject.org> Date: Sat Mar 3 01:48:33 2018 -0500 fix typos in proposal 290 --- proposals/290-deprecate-consensus-methods.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/proposals/290-deprecate-consensus-methods.txt b/proposals/290-deprecate-consensus-methods.txt index db047c8..54e900c 100644 --- a/proposals/290-deprecate-consensus-methods.txt +++ b/proposals/290-… [View More]

1 0

[tor/master] resolve a weird binary character that crept into the man page
by arma＠torproject.org 03 Mar '18

03 Mar '18

commit 2bd23cebf36f97f36fc61ee818be1bfede27d6fd Author: Roger Dingledine <arma(a)torproject.org> Date: Fri Mar 2 19:21:45 2018 -0500 resolve a weird binary character that crept into the man page --- doc/tor.1.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 59f4df79e..5f6186696 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1894,7 +1894,7 @@ is non-zero): If you want to use a reduced exit policy rather than the … [View More]

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-commits March 2018