[tor-bugs] #32363 [Core Tor/Tor]: tor_inet_aton parsing of IPv4 literals is too lax

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 5 23:03:37 UTC 2020


#32363: tor_inet_aton parsing of IPv4 literals is too lax
----------------------------------------+----------------------------------
 Reporter:  liberat                     |          Owner:  neel
     Type:  enhancement                 |         Status:  needs_review
 Priority:  Medium                      |      Milestone:  Tor:
                                        |  0.4.4.x-final
Component:  Core Tor/Tor                |        Version:
 Severity:  Normal                      |     Resolution:
 Keywords:  BugSmashFund, extra-review  |  Actual Points:
Parent ID:                              |         Points:  0.2
 Reviewer:  nickm                       |        Sponsor:
----------------------------------------+----------------------------------

Comment (by teor):

 Replying to [comment:15 nickm]:
 > > Now with the last changes, we do use the heap quite a bit with the
 smartlist_t so why would we prefer not using the heap in the first place?
 Does it still matter now?
 >
 > It doesn't matter except to the extent that it slows us down... we
 should keep an eye on profiles after we merge this.
 >
 > > Can we add a smartlist_core dependency to lib/net ?
 >
 > Yes: to see why, run `./scripts/maint/practracker/includes.py
 --toposort` for a topological sort of our current modules from lowest to
 highest level.  It appears that `net` is already much higher than
 smartlist_core.
 >
 > One thing I want to think about, though: do we care about the
 fingerprinting issue?  That is, this patch will create a class of
 addresses that some clients will parse and some clients will reject.  Is
 that a security issue to worry about, or are we cool here?

 Authorities canonicalise addresses before they create the microdesc
 consensus and microdescriptors, so the only affected clients are bridge
 clients. (Bridge clients download relay descriptors.)

 And for clients that use full relay descriptors on the public network,
 authorities will stop voting for those relays pretty soon.

 So I don't think this has a significant impact.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32363#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list