Correctly handle broken escape sequences in torrc values

Previously, malformatted torrc values could crash us. Patch by Esteban Manchado. Fixes bug 5090; fix on 0.2.0.16-alpha.
2024-09-21 05:26:20 +02:00 · 2012-03-09 11:50:22 -05:00 · 2012-03-09 11:50:22 -05:00 · be0535f00b
commit be0535f00b
parent fe50b676bc
2 changed files with 24 additions and 6 deletions
--- a/changes/bug5090
+++ b/changes/bug5090
@ -0,0 +1,6 @@
+  o Minor bugfixes:
+    - Detect and reject certain misformed escape sequences in configuration
+      values. Previously, these values would cause us to crash if received
+      in a torrc file or over an (authenticated) control port. Patch by
+      Esteban Manchado Velázquez. Fix for bug 5090; bugfix on 0.2.0.16-alpha.
+      
--- a/src/common/util.c
+++ b/src/common/util.c
@ -2212,14 +2212,16 @@ unescape_string(const char *s, char **result, size_t *size_out)
      case '\"':
        goto end_of_loop;
      case '\\':
-        if ((cp[1] == 'x' || cp[1] == 'X')
-            && TOR_ISXDIGIT(cp[2]) && TOR_ISXDIGIT(cp[3])) {
+        if (cp[1] == 'x' || cp[1] == 'X') {
+          if (!(TOR_ISXDIGIT(cp[2]) && TOR_ISXDIGIT(cp[3])))
+            return NULL;
          cp += 4;
        } else if (TOR_ISODIGIT(cp[1])) {
          cp += 2;
          if (TOR_ISODIGIT(*cp)) ++cp;
          if (TOR_ISODIGIT(*cp)) ++cp;
-        } else if (cp[1]) {
+        } else if (cp[1] == 'n' || cp[1] == 'r' || cp[1] == 't' || cp[1] == '"'
+                   || cp[1] == '\\' || cp[1] == '\'') {
          cp += 2;
        } else {
          return NULL;
@ -2251,9 +2253,19 @@ unescape_string(const char *s, char **result, size_t *size_out)
          case 'r': *out++ = '\r'; cp += 2; break;
          case 't': *out++ = '\t'; cp += 2; break;
          case 'x': case 'X':
-            *out++ = ((hex_decode_digit(cp[2])<<4) +
-                      hex_decode_digit(cp[3]));
-            cp += 4;
+            {
+              int x1, x2;
+
+              x1 = hex_decode_digit(cp[2]);
+              x2 = hex_decode_digit(cp[3]);
+              if (x1 == -1 || x2 == -1) {
+                  tor_free(*result);
+                  return NULL;
+              }
+
+              *out++ = ((x1<<4) + x2);
+              cp += 4;
+            }
            break;
          case '0': case '1': case '2': case '3': case '4': case '5':
          case '6': case '7':