From bb3f74e66bd9df94ce9d1949164348efac728ea9 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 3 Jul 2017 11:20:09 -0400 Subject: [PATCH] Fix assertion failure related to openbsd strtol(). Fixes bug 22789; bugfix on 0.2.3.8-alpha. --- changes/bug22789 | 6 ++++++ src/common/compat.c | 8 ++++++-- src/test/test_addr.c | 9 +++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 changes/bug22789 diff --git a/changes/bug22789 b/changes/bug22789 new file mode 100644 index 0000000000..dc9fa29811 --- /dev/null +++ b/changes/bug22789 @@ -0,0 +1,6 @@ + o Major bugfixes (openbsd, denial-of-service): + - Avoid an assertion failure bug affecting our implementation of + inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() + handling of "0xfoo" differs from what we had expected. + Fixes bug 22789; bugfix on 0.2.3.8-alpha. + diff --git a/src/common/compat.c b/src/common/compat.c index d88c5f92de..b77f25b467 100644 --- a/src/common/compat.c +++ b/src/common/compat.c @@ -2045,8 +2045,12 @@ tor_inet_pton(int af, const char *src, void *dst) char *next; ssize_t len; long r = strtol(src, &next, 16); - tor_assert(next != NULL); - tor_assert(next != src); + if (next == NULL || next == src) { + /* The 'next == src' error case can happen on versions of openbsd + * where treats "0xfoo" as an error, rather than as "0" followed by + * "xfoo". */ + return 0; + } len = *next == '\0' ? eow - src : next - src; if (len > 4) diff --git a/src/test/test_addr.c b/src/test/test_addr.c index fec85a4696..645fc643db 100644 --- a/src/test/test_addr.c +++ b/src/test/test_addr.c @@ -340,6 +340,15 @@ test_addr_ip6_helpers(void) test_pton6_bad("a:::b:c"); test_pton6_bad(":::a:b:c"); test_pton6_bad("a:b:c:::"); + /* Regression tests for 22789. */ + test_pton6_bad("0xfoo"); + test_pton6_bad("0x88"); + test_pton6_bad("0xyxxy"); + test_pton6_bad("0XFOO"); + test_pton6_bad("0X88"); + test_pton6_bad("0XYXXY"); + test_pton6_bad("0x"); + test_pton6_bad("0X"); /* test internal checking */ test_external_ip("fbff:ffff::2:7", 0);