Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2

This commit is contained in:
Nick Mathewson 2011-01-19 13:25:38 -05:00
commit a793f1f6f2
2 changed files with 21 additions and 0 deletions

View File

@ -0,0 +1,4 @@
o Minor bugfixes
- Check for and reject overly long directory certificates and
directory tokens before they have a chance to hit any
assertions. Bugfix on 0.2.1.28. Found by doorss.

View File

@ -1720,6 +1720,10 @@ extrainfo_parse_entry_from_string(const char *s, const char *end,
authority_cert_t * authority_cert_t *
authority_cert_parse_from_string(const char *s, const char **end_of_string) authority_cert_parse_from_string(const char *s, const char **end_of_string)
{ {
/** Reject any certificate at least this big; it is probably an overflow, an
* attack, a bug, or some other nonsense. */
#define MAX_CERT_SIZE (128*1024)
authority_cert_t *cert = NULL, *old_cert; authority_cert_t *cert = NULL, *old_cert;
smartlist_t *tokens = NULL; smartlist_t *tokens = NULL;
char digest[DIGEST_LEN]; char digest[DIGEST_LEN];
@ -1747,6 +1751,12 @@ authority_cert_parse_from_string(const char *s, const char **end_of_string)
++eos; ++eos;
len = eos - s; len = eos - s;
if (len > MAX_CERT_SIZE) {
log_warn(LD_DIR, "Certificate is far too big (at %lu bytes long); "
"rejecting", (unsigned long)len);
return NULL;
}
tokens = smartlist_create(); tokens = smartlist_create();
area = memarea_new(); area = memarea_new();
if (tokenize_string(area,s, eos, tokens, dir_key_certificate_table, 0) < 0) { if (tokenize_string(area,s, eos, tokens, dir_key_certificate_table, 0) < 0) {
@ -3818,6 +3828,9 @@ get_next_token(memarea_t *area,
/** Reject any object at least this big; it is probably an overflow, an /** Reject any object at least this big; it is probably an overflow, an
* attack, a bug, or some other nonsense. */ * attack, a bug, or some other nonsense. */
#define MAX_UNPARSED_OBJECT_SIZE (128*1024) #define MAX_UNPARSED_OBJECT_SIZE (128*1024)
/** Reject any line at least this big; it is probably an overflow, an
* attack, a bug, or some other nonsense. */
#define MAX_LINE_LENGTH (128*1024)
const char *next, *eol, *obstart; const char *next, *eol, *obstart;
size_t obname_len; size_t obname_len;
@ -3837,6 +3850,10 @@ get_next_token(memarea_t *area,
eol = memchr(*s, '\n', eos-*s); eol = memchr(*s, '\n', eos-*s);
if (!eol) if (!eol)
eol = eos; eol = eos;
if (eol - *s > MAX_LINE_LENGTH) {
RET_ERR("Line far too long");
}
next = find_whitespace_eos(*s, eol); next = find_whitespace_eos(*s, eol);
if (!strcmp_len(*s, "opt", next-*s)) { if (!strcmp_len(*s, "opt", next-*s)) {