[tor-bugs] #22103 [Core Tor]: confparse.c checks pointer instead of value (!ok)

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Apr 29 23:46:54 UTC 2017 

#22103: confparse.c checks pointer instead of value (!ok)
--------------------------+-----------------
     Reporter:  nullius   |      Owner:
         Type:  defect    |     Status:  new
     Priority:  Medium    |  Milestone:
    Component:  Core Tor  |    Version:
     Severity:  Normal    |   Keywords:
Actual Points:            |  Parent ID:
       Points:            |   Reviewer:
      Sponsor:            |
--------------------------+-----------------
 == Description ==

 In `src/or/confparse.c`, functions `conf_parse_msec_interval()` and
 `conf_parse_interval()` incorrectly check a pointer instead of the
 pointed-to value.  Patch attached.

 == Impact ==

 When `config_parse_units()` hits an error, these functions may return `0`
 as a valid value instead of `-1` as an error.

 == Security evaluation ==

 Far worse could be done by any attacker with sufficient access to feed
 malicious data to these functions.  Thus, I don’t see how it could be
 exploited as a practical matter.

 == `note[0]` ==

 From my `~/tor/BUGS.txt` with mtime 2014-03-19T03:07:45Z.  So sorry I did
 not report it sooner.  I could have been rich and famous!

 {{{#!comment
 #include <stdio.h>

 #define ME      "nullius at nym.zone"
 #define PGP     "0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C"

 int
 main(int argc, char *argv[])
 {

         printf("Hello, world! <%s>\nPGP: %s\n", ME, PGP);

         return (0);
 }
 }}}

 == `note[1]` ==

 Use of the variable `ok` is inconsistent in `confparse.c`.  In
 `config_assign_value()`, `ok` is an `int`.  Elsewhere, pointer to `int`.
 That’s not ok!  Also, there is a confusing `tor_assert(ok);` to check for
 non-`NULL` pointer; KNF style would prescribe the check to be explicit
 `tor_assert(ok != NULL);`, for a reason.  (The actual bug concerns a
 Boolean check, so `if (!*ok)` is stylistically sane.)  I could open a
 separate bug and/or do some minor refactoring, if committers were to
 express an interest in making `ok` more ok.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22103>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list