[tor-bugs] #13476 [Tor]: time handling - bug fixes, extra external input checks, and unit tests

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Oct 19 15:23:46 UTC 2014 

#13476: time handling - bug fixes, extra external input checks, and unit tests
------------------------+------------------------------------
 Reporter:  teor        |          Owner:
     Type:  defect      |         Status:  new
 Priority:  minor       |      Milestone:  Tor: 0.2.6.x-final
Component:  Tor         |        Version:  Tor: unspecified
 Keywords:  tor-router  |  Actual Points:
Parent ID:              |         Points:
------------------------+------------------------------------
 '''Bug Fix'''
 correct_tm in util.c sets tm_yday to 1 & 365, assuming it is 1-based.

 But tm_yday is actually 0-based, meaning the correct values are 0 & 364
 (both of the years with end of year dates are odd-numbered, therefore they
 can't be leap years).

 This bug is invisible in the current tor source code, for two reasons:
 1. This code is only used when the epoch time >= INT_MAX or the year >
 8099 (9999 CE).
 2. No current tor code is using the tm_yday field returned by
 correct_time(), as long as mktime is implemented to ignore tm_yday as
 described in the 1999 BSD/OS X man page:

   The original values of the tm_wday and tm_yday components of the
   structure are ignored.

 So I don't think this fix will need backporting.

 '''Enhancements'''

 Take the year and month into account when checking if the day of the month
 supplied to parse_rfc1123_time is out of range. Re-enable existing unit
 tests, and create new unit tests for these cases. May improve input
 validation - consider backporting.

 Take the year and month into account when checking if the day of the month
 supplied to tor_timegm is out of range. Also check if the hour, minute,
 and second are valid. This improves validation of If-Modified-Since HTTP
 headers. (And really isn't used much by tor otherwise.) Create unit tests
 for these cases. Improves HTTP header validation - consider backporting.

 Avoid unlikely signed integer overflow in tor_timegm on systems with
 32-bit time_t. Create a unit test for this case. Not worth backporting.

 Further clamp year values returned from system localtime(_r) and
 gmtime(_r) to year 1, rather than allowing year 0 (which doesn't strictly
 exist), or negative years. Both of these avoid potential parsing/accuracy
 issues with strftime and timegm. Create unit tests for these cases. Check
 for clamping to either of the year values that correct_tm may produce,
 depending on whether the system gmtime(_r) yields an error or not.
 Unlikely - probably not worth backporting.

 I'll post a branch as soon as I've authored the changes file.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13476>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list