[tor-bugs] #14013 [Core Tor/Tor]: base16_decode() API is inconsistent and error-prone

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jun 17 19:23:07 UTC 2016 

#14013: base16_decode() API is inconsistent and error-prone
-----------------------------------+------------------------------------
 Reporter:  nickm                  |          Owner:  nikkolasg
     Type:  defect                 |         Status:  merge_ready
 Priority:  High                   |      Milestone:  Tor: 0.2.9.x-final
Component:  Core Tor/Tor           |        Version:
 Severity:  Normal                 |     Resolution:
 Keywords:  lorax, review-group-3  |  Actual Points:
Parent ID:                         |         Points:  1
 Reviewer:  dgoulet                |        Sponsor:  SponsorS-can
-----------------------------------+------------------------------------
Changes (by dgoulet):

 * status:  needs_revision => merge_ready


Comment:

 Replying to [comment:29 nickm]:
 > requested changes:
 >   * require that destlen be less than SSIZE_MAX. Otherwise the cast in
 base16_decode isn't safe.

 Hrm actually that ssize_t cast doesn't make too much sense. That function
 returns a int so we should align everything to `INT_MAX`. I originally
 changed it to return `ssize_t` but I changed my mind so every
 encode/decode function have the same interface.

 Fixup commit: `b397307`

 >   * document what happens if destlen is greater than or less than
 srclen/2.

 Also in fixup commit: `b397307`

 >   *
 >
 > {{{
 > +      ok = base16_decode(id, DIGEST_LEN, cp+strlen("id="),
 > +                         strlen(cp)-strlen("id=")) != DIGEST_LEN ? 0 :
 1;
 > }}}
 >
 > would make more sense as `ok = (base16_decode(...) == DIGEST_LEN)`
 >
 >   * Why is the comparison in decode_hashed_passwords < rather than != ?

 This was a leftover.

 Both of the above fixed in fixup commit: `6bffbb9`

 >
 > To consider:
 >   * Should we make all of these functions clear the unused portion of
 the output buffer?

 Ideally, we should make all the decode function return how many bytes they
 used so the caller can know the _exact_ amount filled up.

 Now this patch makes it for base16 and base64 is already doing that.
 base32 is the missing one. New ticket time I presume.

 >   * Is it possible that we missed any instances of base16_decode() ?

 Always possible but nikkolasg originally made the patch and then I went
 over each of the base16_decode I could find to fix some syntax and change
 `<` to `!=`. So if we missed one, bad luck I would say.

 See branch with the fixup commits: `bug14013_029_01`

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14013#comment:30>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list