[tor-commits] [tor/master] hs: Avoid a strlen(NULL) if descriptor is not found in cache

nickm at torproject.org nickm at torproject.org
Wed Feb 15 17:20:22 UTC 2017 

commit 3336f26e60b0f24c8e028ed8fb9aea04d19c5c8a
Author: David Goulet <dgoulet at torproject.org>
Date:   Wed Feb 15 10:27:32 2017 -0500

    hs: Avoid a strlen(NULL) if descriptor is not found in cache
    
    Instead of returning 404 error code, this led to a NULL pointer being used and
    thus a crash of tor.
    
    Fixes #21471
    
    Signed-off-by: David Goulet <dgoulet at torproject.org>
---
 changes/bug21471         |  5 +++++
 src/or/directory.c       |  2 +-
 src/test/test_hs_cache.c | 18 ++++++++++++++++++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/changes/bug21471 b/changes/bug21471
new file mode 100644
index 0000000..684035b
--- /dev/null
+++ b/changes/bug21471
@@ -0,0 +1,5 @@
+  o Major bugfixes (hidden service directory v3):
+    - When a descriptor lookup was done and it was not found in the directory
+      cache, it would crash on a NULL pointer instead of returning the 404
+      code back to the client like it was suppose to. Fixes bug 21471.;
+      bugfixes on tor-0.3.0.1-alpha.
diff --git a/src/or/directory.c b/src/or/directory.c
index c7f2012..80d3c30 100644
--- a/src/or/directory.c
+++ b/src/or/directory.c
@@ -3533,7 +3533,7 @@ handle_get_hs_descriptor_v3(dir_connection_t *conn,
   pubkey_str = url + strlen("/tor/hs/3/");
   retval = hs_cache_lookup_as_dir(HS_VERSION_THREE,
                                   pubkey_str, &desc_str);
-  if (retval < 0) {
+  if (retval <= 0 || desc_str == NULL) {
     write_http_status_line(conn, 404, "Not found");
     goto done;
   }
diff --git a/src/test/test_hs_cache.c b/src/test/test_hs_cache.c
index 64391a7..1943d0f 100644
--- a/src/test/test_hs_cache.c
+++ b/src/test/test_hs_cache.c
@@ -361,6 +361,15 @@ test_upload_and_download_hs_desc(void *arg)
   /* Initialize HSDir cache subsystem */
   init_test();
 
+  /* Test a descriptor not found in the directory cache. */
+  {
+    ed25519_public_key_t blinded_key;
+    memset(&blinded_key.pubkey, 'A', sizeof(blinded_key.pubkey));
+    received_desc_str = helper_fetch_desc_from_hsdir(&blinded_key);
+    tt_int_op(strlen(received_desc_str), OP_EQ, 0);
+    tor_free(received_desc_str);
+  }
+
   /* Generate a valid descriptor with normal values. */
   {
     ed25519_keypair_t signing_kp;
@@ -388,6 +397,15 @@ test_upload_and_download_hs_desc(void *arg)
 
   /* Verify we received the exact same descriptor we published earlier */
   tt_str_op(received_desc_str, OP_EQ, published_desc_str);
+  tor_free(received_desc_str);
+
+  /* With a valid descriptor in the directory cache, try again an invalid. */
+  {
+    ed25519_public_key_t blinded_key;
+    memset(&blinded_key.pubkey, 'A', sizeof(blinded_key.pubkey));
+    received_desc_str = helper_fetch_desc_from_hsdir(&blinded_key);
+    tt_int_op(strlen(received_desc_str), OP_EQ, 0);
+  }
 
  done:
   tor_free(received_desc_str);

More information about the tor-commits mailing list