mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 14:23:30 +01:00
Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2
This commit is contained in:
commit
a793f1f6f2
4
changes/routerparse_maxima
Normal file
4
changes/routerparse_maxima
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
o Minor bugfixes
|
||||||
|
- Check for and reject overly long directory certificates and
|
||||||
|
directory tokens before they have a chance to hit any
|
||||||
|
assertions. Bugfix on 0.2.1.28. Found by doorss.
|
@ -1720,6 +1720,10 @@ extrainfo_parse_entry_from_string(const char *s, const char *end,
|
|||||||
authority_cert_t *
|
authority_cert_t *
|
||||||
authority_cert_parse_from_string(const char *s, const char **end_of_string)
|
authority_cert_parse_from_string(const char *s, const char **end_of_string)
|
||||||
{
|
{
|
||||||
|
/** Reject any certificate at least this big; it is probably an overflow, an
|
||||||
|
* attack, a bug, or some other nonsense. */
|
||||||
|
#define MAX_CERT_SIZE (128*1024)
|
||||||
|
|
||||||
authority_cert_t *cert = NULL, *old_cert;
|
authority_cert_t *cert = NULL, *old_cert;
|
||||||
smartlist_t *tokens = NULL;
|
smartlist_t *tokens = NULL;
|
||||||
char digest[DIGEST_LEN];
|
char digest[DIGEST_LEN];
|
||||||
@ -1747,6 +1751,12 @@ authority_cert_parse_from_string(const char *s, const char **end_of_string)
|
|||||||
++eos;
|
++eos;
|
||||||
len = eos - s;
|
len = eos - s;
|
||||||
|
|
||||||
|
if (len > MAX_CERT_SIZE) {
|
||||||
|
log_warn(LD_DIR, "Certificate is far too big (at %lu bytes long); "
|
||||||
|
"rejecting", (unsigned long)len);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
tokens = smartlist_create();
|
tokens = smartlist_create();
|
||||||
area = memarea_new();
|
area = memarea_new();
|
||||||
if (tokenize_string(area,s, eos, tokens, dir_key_certificate_table, 0) < 0) {
|
if (tokenize_string(area,s, eos, tokens, dir_key_certificate_table, 0) < 0) {
|
||||||
@ -3818,6 +3828,9 @@ get_next_token(memarea_t *area,
|
|||||||
/** Reject any object at least this big; it is probably an overflow, an
|
/** Reject any object at least this big; it is probably an overflow, an
|
||||||
* attack, a bug, or some other nonsense. */
|
* attack, a bug, or some other nonsense. */
|
||||||
#define MAX_UNPARSED_OBJECT_SIZE (128*1024)
|
#define MAX_UNPARSED_OBJECT_SIZE (128*1024)
|
||||||
|
/** Reject any line at least this big; it is probably an overflow, an
|
||||||
|
* attack, a bug, or some other nonsense. */
|
||||||
|
#define MAX_LINE_LENGTH (128*1024)
|
||||||
|
|
||||||
const char *next, *eol, *obstart;
|
const char *next, *eol, *obstart;
|
||||||
size_t obname_len;
|
size_t obname_len;
|
||||||
@ -3837,6 +3850,10 @@ get_next_token(memarea_t *area,
|
|||||||
eol = memchr(*s, '\n', eos-*s);
|
eol = memchr(*s, '\n', eos-*s);
|
||||||
if (!eol)
|
if (!eol)
|
||||||
eol = eos;
|
eol = eos;
|
||||||
|
if (eol - *s > MAX_LINE_LENGTH) {
|
||||||
|
RET_ERR("Line far too long");
|
||||||
|
}
|
||||||
|
|
||||||
next = find_whitespace_eos(*s, eol);
|
next = find_whitespace_eos(*s, eol);
|
||||||
|
|
||||||
if (!strcmp_len(*s, "opt", next-*s)) {
|
if (!strcmp_len(*s, "opt", next-*s)) {
|
||||||
|
Loading…
Reference in New Issue
Block a user