[tor-bugs] #22789 [Core Tor/Tor]: Tor 0.3.1.4-alpha crash on OpenBSD-current

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 4 15:09:19 UTC 2017 

#22789: Tor 0.3.1.4-alpha crash on OpenBSD-current
-------------------------------------------------+-------------------------
 Reporter:  fredzupy                             |          Owner:
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  High                                 |      Milestone:  Tor:
                                                 |  0.3.1.x-final
Component:  Core Tor/Tor                         |        Version:  Tor:
                                                 |  0.3.1.4-alpha
 Severity:  Major                                |     Resolution:
 Keywords:  tor crash inet_pton c99 openbsd      |  Actual Points:
  024-backport 025-backport 026-backport         |
  027-backport 028-backport 029-backport         |
  030-backport                                   |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by catalyst):

 Nothing in C99 7.20.1.4 explicitly says that a string starting with `0x`
 should result in `nptr == *endptr` when `base == 16`.

 It might be ambiguous about whether `0x` is an expected subject sequence
 for `strtol` with `base == 16`.  I think the ambiguity is whether the
 subject sequence is `0` vs `0x`, rather than empty.  7.20.1.4p7 says `nptr
 == *endptr` if the subject sequence "is empty or does not have the
 expected form", but 7.20.1.4p4 defines the subject sequence as "the
 longest initial subsequence of the input string, starting with the first
 non-white-space character, that is of the expected form", so "not have the
 expected form" is redundant because that is impossible for a subject
 sequence as defined.

 It goes on to say that the subject sequence is empty if "the input string
 is empty or consists entirely of white space, or if the first non-white-
 space character is other than a sign or a permissible letter or digit".
 Neither of these is true for a string starting with `0x`, because `0` is a
 permissible digit for `base == 16`.

 This also brings up the question of whether a subject string can consist
 of only a sign prefix.  I think it can be, but the reference to 6.4.4.1
 implies that is not true, at least for `base == 0`, because an ''integer-
 constant'' cannot be empty.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22789#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list