commit 1491c0d024130a5699ae9acbeb2263d9d6ca2c3c Author: George Kadianakis <desnacked@riseup.net> Date: Thu Aug 17 23:13:15 2017 +0300 Fix triggerable BUG() when decoding hsv3 descriptors. Also improve the unittest to make sure it catches the right error. --- changes/bug23233 | 4 ++++ src/or/hs_descriptor.c | 3 ++- src/test/test_hs_descriptor.c | 4 ++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/changes/bug23233 b/changes/bug23233 new file mode 100644 index 000000000..689a99a2a --- /dev/null +++ b/changes/bug23233 @@ -0,0 +1,4 @@ + o Minor bugfixes (hidden service): + - Fix a BUG alert during HSv3 descriptor decoding that could trigger with a + specially crafted descriptor. Fixes bug #23233; bugfix on 0.3.0.1-alpha. + Bug found by "haxxpop". diff --git a/src/or/hs_descriptor.c b/src/or/hs_descriptor.c index 7c2e76942..616d2f280 100644 --- a/src/or/hs_descriptor.c +++ b/src/or/hs_descriptor.c @@ -1852,7 +1852,8 @@ desc_sig_is_valid(const char *b64_sig, sig_start = tor_memstr(encoded_desc, encoded_len, "\n" str_signature); /* Getting here means the token parsing worked for the signature so if we * can't find the start of the signature, we have a code flow issue. */ - if (BUG(!sig_start)) { + if (!sig_start) { + log_warn(LD_GENERAL, "Malformed signature line. Rejecting."); goto err; } /* Skip newline, it has to go in the signature check. */ diff --git a/src/test/test_hs_descriptor.c b/src/test/test_hs_descriptor.c index 5be074708..b68bd108f 100644 --- a/src/test/test_hs_descriptor.c +++ b/src/test/test_hs_descriptor.c @@ -569,8 +569,12 @@ test_decode_bad_signature(void *arg) /* Update approx time to dodge cert expiration */ update_approx_time(1502661599); + + setup_full_capture_of_logs(LOG_WARN); ret = hs_desc_decode_plaintext(HS_DESC_BAD_SIG, &desc_plaintext); tt_int_op(ret, OP_EQ, -1); + expect_log_msg_containing("Malformed signature line. Rejecting."); + teardown_capture_of_logs(); done: ; }