diff --git a/changes/bug8037 b/changes/bug8037 new file mode 100644 index 0000000000..989745fc39 --- /dev/null +++ b/changes/bug8037 @@ -0,0 +1,8 @@ + o Minor bugfixes: + - Correctly store microdescriptors and extrainfo descriptors with + an internal NUL byte. Fixes bug 8037; bugfix on 0.2.0.1-alpha. + Bug reported by "cypherpunks". + + o Minor features: + - Reject as invalid most directory objects containing a + NUL. Belt-and-suspender fix for bug 8037. diff --git a/src/common/util.c b/src/common/util.c index 2f1bc6171b..db160fdf0a 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -281,6 +281,20 @@ tor_memdup_(const void *mem, size_t len DMALLOC_PARAMS) return dup; } +/** As tor_memdup(), but add an extra 0 byte at the end of the resulting + * memory. */ +void * +tor_memdup_nulterm(const void *mem, size_t len DMALLOC_PARAMS) +{ + char *dup; + tor_assert(len < SIZE_T_CEILING+1); + tor_assert(mem); + dup = tor_malloc_(len+1 DMALLOC_FN_ARGS); + memcpy(dup, mem, len); + dup[len] = '\0'; + return dup; +} + /** Helper for places that need to take a function pointer to the right * spelling of "free()". */ void diff --git a/src/common/util.h b/src/common/util.h index 712352b032..96a02dd775 100644 --- a/src/common/util.h +++ b/src/common/util.h @@ -83,6 +83,8 @@ char *tor_strndup_(const char *s, size_t n DMALLOC_PARAMS) ATTR_MALLOC ATTR_NONNULL((1)); void *tor_memdup_(const void *mem, size_t len DMALLOC_PARAMS) ATTR_MALLOC ATTR_NONNULL((1)); +void *tor_memdup_nulterm_(const void *mem, size_t len DMALLOC_PARAMS) + ATTR_MALLOC ATTR_NONNULL((1)); void tor_free_(void *mem); #ifdef USE_DMALLOC extern int dmalloc_free(const char *file, const int line, void *pnt, @@ -116,6 +118,7 @@ extern int dmalloc_free(const char *file, const int line, void *pnt, #define tor_strdup(s) tor_strdup_(s DMALLOC_ARGS) #define tor_strndup(s, n) tor_strndup_(s, n DMALLOC_ARGS) #define tor_memdup(s, n) tor_memdup_(s, n DMALLOC_ARGS) +#define tor_memdup_nulterm(s, n) tor_memdup_nulterm_(s, n DMALLOC_ARGS) void tor_log_mallinfo(int severity); diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 0eadcc90f7..370cf2682e 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -1494,7 +1494,7 @@ extrainfo_parse_entry_from_string(const char *s, const char *end, extrainfo = tor_malloc_zero(sizeof(extrainfo_t)); extrainfo->cache_info.is_extrainfo = 1; if (cache_copy) - extrainfo->cache_info.signed_descriptor_body = tor_strndup(s, end-s); + extrainfo->cache_info.signed_descriptor_body = tor_memdup_nulterm(s, end-s); extrainfo->cache_info.signed_descriptor_len = end-s; memcpy(extrainfo->cache_info.signed_descriptor_digest, digest, DIGEST_LEN); @@ -3921,8 +3921,15 @@ tokenize_string(memarea_t *area, tor_assert(area); s = &start; - if (!end) + if (!end) { end = start+strlen(start); + } else { + /* it's only meaningful to check for nuls if we got an end-of-string ptr */ + if (memchr(start, '\0', end-start)) { + log_warn(LD_DIR, "parse error: internal NUL character."); + return -1; + } + } for (i = 0; i < NIL_; ++i) counts[i] = 0; @@ -4256,7 +4263,7 @@ microdescs_parse_from_string(const char *s, const char *eos, md->bodylen = start_of_next_microdesc - cp; if (copy_body) - md->body = tor_strndup(cp, md->bodylen); + md->body = tor_memdup_nulterm(cp, md->bodylen); else md->body = (char*)cp; md->off = cp - start;