diff --git a/changes/routerparse_maxima b/changes/routerparse_maxima new file mode 100644 index 0000000000..340f2c3c2d --- /dev/null +++ b/changes/routerparse_maxima @@ -0,0 +1,4 @@ + o Minor bugfixes + - Check for and reject overly long directory certificates and + directory tokens before they have a chance to hit any + assertions. Bugfix on 0.2.1.28. Found by doorss. diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 08f81d9f76..5ceb298b8b 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -1720,6 +1720,10 @@ extrainfo_parse_entry_from_string(const char *s, const char *end, authority_cert_t * authority_cert_parse_from_string(const char *s, const char **end_of_string) { + /** Reject any certificate at least this big; it is probably an overflow, an + * attack, a bug, or some other nonsense. */ +#define MAX_CERT_SIZE (128*1024) + authority_cert_t *cert = NULL, *old_cert; smartlist_t *tokens = NULL; char digest[DIGEST_LEN]; @@ -1747,6 +1751,12 @@ authority_cert_parse_from_string(const char *s, const char **end_of_string) ++eos; len = eos - s; + if (len > MAX_CERT_SIZE) { + log_warn(LD_DIR, "Certificate is far too big (at %lu bytes long); " + "rejecting", (unsigned long)len); + return NULL; + } + tokens = smartlist_create(); area = memarea_new(); if (tokenize_string(area,s, eos, tokens, dir_key_certificate_table, 0) < 0) { @@ -3818,6 +3828,9 @@ get_next_token(memarea_t *area, /** Reject any object at least this big; it is probably an overflow, an * attack, a bug, or some other nonsense. */ #define MAX_UNPARSED_OBJECT_SIZE (128*1024) + /** Reject any line at least this big; it is probably an overflow, an + * attack, a bug, or some other nonsense. */ +#define MAX_LINE_LENGTH (128*1024) const char *next, *eol, *obstart; size_t obname_len; @@ -3837,6 +3850,10 @@ get_next_token(memarea_t *area, eol = memchr(*s, '\n', eos-*s); if (!eol) eol = eos; + if (eol - *s > MAX_LINE_LENGTH) { + RET_ERR("Line far too long"); + } + next = find_whitespace_eos(*s, eol); if (!strcmp_len(*s, "opt", next-*s)) {