[tor-bugs] #22103 [Core Tor]: confparse.c checks pointer instead of value (!ok)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Apr 29 23:46:54 UTC 2017
#22103: confparse.c checks pointer instead of value (!ok)
--------------------------+-----------------
Reporter: nullius | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------+-----------------
== Description ==
In `src/or/confparse.c`, functions `conf_parse_msec_interval()` and
`conf_parse_interval()` incorrectly check a pointer instead of the
pointed-to value. Patch attached.
== Impact ==
When `config_parse_units()` hits an error, these functions may return `0`
as a valid value instead of `-1` as an error.
== Security evaluation ==
Far worse could be done by any attacker with sufficient access to feed
malicious data to these functions. Thus, I don’t see how it could be
exploited as a practical matter.
== `note[0]` ==
From my `~/tor/BUGS.txt` with mtime 2014-03-19T03:07:45Z. So sorry I did
not report it sooner. I could have been rich and famous!
{{{#!comment
#include <stdio.h>
#define ME "nullius at nym.zone"
#define PGP "0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C"
int
main(int argc, char *argv[])
{
printf("Hello, world! <%s>\nPGP: %s\n", ME, PGP);
return (0);
}
}}}
== `note[1]` ==
Use of the variable `ok` is inconsistent in `confparse.c`. In
`config_assign_value()`, `ok` is an `int`. Elsewhere, pointer to `int`.
That’s not ok! Also, there is a confusing `tor_assert(ok);` to check for
non-`NULL` pointer; KNF style would prescribe the check to be explicit
`tor_assert(ok != NULL);`, for a reason. (The actual bug concerns a
Boolean check, so `if (!*ok)` is stylistically sane.) I could open a
separate bug and/or do some minor refactoring, if committers were to
express an interest in making `ok` more ok.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22103>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list