[tor-bugs] #22789 [Core Tor/Tor]: Tor 0.3.1.4-alpha crash on OpenBSD-current

Tue Jul 4 08:59:33 UTC 2017

#22789: Tor 0.3.1.4-alpha crash on OpenBSD-current
-------------------------------------------------+-------------------------
 Reporter:  fredzupy                             |          Owner:
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  High                                 |      Milestone:  Tor:
                                                 |  0.3.1.x-final
Component:  Core Tor/Tor                         |        Version:  Tor:
                                                 |  0.3.1.4-alpha
 Severity:  Major                                |     Resolution:
 Keywords:  tor crash inet_pton c99 openbsd      |  Actual Points:
  024-backport 025-backport 026-backport         |
  027-backport 028-backport 029-backport         |
  030-backport                                   |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by cypherpunks):

 Replying to [comment:18 fredzupy]:
 > Replying to [comment:17 catalyst]:
 > > My reading of C99 is that `strtol("0xquux", &next, 16)` must return
 zero and `next` must point to the `x`.  The optionality in paragraph 3 is
 for the input data, not the implementation.
 >
 > Under Linux produce:
 > l:0 rest:xquux
 >
 > Under OpenBSD produce:
 > l:0 rest:0xquux
 >
 > The question is to know if the Tor code is good enough and OpenBSD need
 to fix something or OpenBSD is sufficiently conformant and the Tor code
 need to adapt.
 >
 I believe the OpenBSD result is correct according to the C99 text and
 contradicts catalyst's statement. Because paragraph 7.20.1.4.7 states
 > If the subject sequence is empty or does not have the expected form, no
 conversion is performed; the value of nptr is stored in the object pointed
 to by endptr, provided that endptr is not a null pointer.
 With the example code, `nptr` does not have the expected form, so no
 conversion is performed therefore `nptr == *endptr`. Furthermore,
 paragraph 7.20.1.4.8 states
 > The strtol, strtoll, strtoul, and strtoull functions return the
 converted value, if any. If no conversion could be performed, zero is
 returned. If the correct value is outside the range of representable
 values, LONG_MIN, LONG_MAX, LLONG_MIN, LLONG_MAX, ULONG_MAX, or ULLONG_MAX
 is returned (according to the return type and sign of the value, if any),
 and the value of the macro ERANGE is stored in errno.
 With the example code, `nptr` does not have the expected form, so no
 conversion is performed therefore the return value is zero.

 Combining these two together means that when the subject sequence is empty
 or does not have the expected form, no conversion is performed and the
 return value is zero and `nptr == *endptr`.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22789#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online