From 8054e81e14e20101e355a7c58d7e5ea7ec231d96 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 4 Aug 2011 12:03:31 -0400 Subject: [PATCH] Treat socks_request->{username,password} as non-NUL-terminated They *are* non-NUL-terminated, after all (and they have to be, since the SOCKS5 spec allows them to contain embedded NULs. But the code to implement proposal 171 was copying them with tor_strdup and comparing them with strcmp_opt. Fix for bug on 3683; bug not present in any yet-released version. --- src/or/connection_edge.c | 50 ++++++++++++++++++++++++++++++++-------- src/or/or.h | 4 ++++ 2 files changed, 44 insertions(+), 10 deletions(-) diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 8f550cf66a..83102bac51 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -3329,6 +3329,23 @@ parse_extended_hostname(char *address, int allowdotexit) return BAD_HOSTNAME; } +/** Return true iff the (possibly NULL) alen-byte chunk of memory at + * a is equal to the (possibly NULL) blen-byte chunk of memory + * at b. */ +static int +memeq_opt(const char *a, size_t alen, const char *b, size_t blen) +{ + if (a == NULL) { + return (b == NULL); + } else if (b == NULL) { + return 0; + } else if (alen != blen) { + return 0; + } else { + return tor_memeq(a, b, alen); + } +} + /** Return true iff a and b have isolation rules and fields that * make it permissible to put them on the same circuit.*/ int @@ -3336,6 +3353,8 @@ connection_edge_streams_are_compatible(const edge_connection_t *a, const edge_connection_t *b) { const uint8_t iso = a->isolation_flags | b->isolation_flags; + const socks_request_t *a_sr = a->socks_request; + const socks_request_t *b_sr = b->socks_request; if (! a->original_dest_address) { log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without " @@ -3359,8 +3378,10 @@ connection_edge_streams_are_compatible(const edge_connection_t *a, strcasecmp(a->original_dest_address, b->original_dest_address)) return 0; if ((iso & ISO_SOCKSAUTH) && - (strcmp_opt(a->socks_request->username, b->socks_request->username) || - strcmp_opt(a->socks_request->password, b->socks_request->password))) + (! memeq_opt(a_sr->username, a_sr->usernamelen, + b_sr->username, b_sr->usernamelen) || + ! memeq_opt(a_sr->password, a_sr->passwordlen, + b_sr->password, b_sr->passwordlen))) return 0; if ((iso & ISO_CLIENTPROTO) && (a->socks_request->listener_type != b->socks_request->listener_type || @@ -3386,6 +3407,7 @@ connection_edge_compatible_with_circuit(const edge_connection_t *conn, const origin_circuit_t *circ) { const uint8_t iso = conn->isolation_flags; + const socks_request_t *sr = conn->socks_request; /* If circ has never been used for an isolated connection, we can * totally use it for this one. */ @@ -3421,8 +3443,10 @@ connection_edge_compatible_with_circuit(const edge_connection_t *conn, strcasecmp(conn->original_dest_address, circ->dest_address)) return 0; if ((iso & ISO_SOCKSAUTH) && - (strcmp_opt(conn->socks_request->username, circ->socks_username) || - strcmp_opt(conn->socks_request->password, circ->socks_password))) + (! memeq_opt(sr->username, sr->usernamelen, + circ->socks_username, circ->socks_username_len) || + ! memeq_opt(sr->password, sr->passwordlen, + circ->socks_password, circ->socks_password_len))) return 0; if ((iso & ISO_CLIENTPROTO) && (conn->socks_request->listener_type != circ->client_proto_type || @@ -3452,6 +3476,7 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn, origin_circuit_t *circ, int dry_run) { + const socks_request_t *sr = conn->socks_request; if (! conn->original_dest_address) { log_warn(LD_BUG, "Reached connection_update_circuit_isolation without " "having set conn->original_dest_address"); @@ -3469,10 +3494,12 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn, tor_addr_copy(&circ->client_addr, &TO_CONN(conn)->addr); circ->session_group = conn->session_group; circ->nym_epoch = conn->nym_epoch; - circ->socks_username = conn->socks_request->username ? - tor_strdup(conn->socks_request->username) : NULL; - circ->socks_password = conn->socks_request->password ? - tor_strdup(conn->socks_request->password) : NULL; + circ->socks_username = sr->username ? + tor_memdup(sr->username, sr->usernamelen) : NULL; + circ->socks_password = sr->password ? + tor_memdup(sr->password, sr->passwordlen) : NULL; + circ->socks_username_len = sr->usernamelen; + circ->socks_password_len = sr->passwordlen; circ->isolation_values_set = 1; return 0; @@ -3482,8 +3509,10 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn, mixed |= ISO_DESTPORT; if (strcasecmp(conn->original_dest_address, circ->dest_address)) mixed |= ISO_DESTADDR; - if (strcmp_opt(conn->socks_request->username, circ->socks_username) || - strcmp_opt(conn->socks_request->password, circ->socks_password)) + if (!memeq_opt(sr->username, sr->usernamelen, + circ->socks_username, circ->socks_username_len) || + !memeq_opt(sr->password, sr->passwordlen, + circ->socks_password, circ->socks_password_len)) mixed |= ISO_SOCKSAUTH; if ((conn->socks_request->listener_type != circ->client_proto_type || conn->socks_request->socks_version != circ->client_proto_socksver)) @@ -3542,5 +3571,6 @@ circuit_clear_isolation(origin_circuit_t *circ) circ->nym_epoch = 0; tor_free(circ->socks_username); tor_free(circ->socks_password); + circ->socks_username_len = circ->socks_password_len = 0; } diff --git a/src/or/or.h b/src/or/or.h index 150971b5fb..e7670bb530 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -2524,6 +2524,10 @@ typedef struct origin_circuit_t { char *dest_address; int session_group; unsigned nym_epoch; + uint8_t socks_username_len; + uint8_t socks_password_len; + /* Note that the next two values are NOT NUL-terminated; see + socks_username_len and socks_password_len for their lengths. */ char *socks_username; char *socks_password; /**@}*/