mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 13:13:44 +01:00
Merge branch 'maint-0.3.2' into maint-0.3.3
This commit is contained in:
commit
f7eff2f8c5
3
changes/bug25249
Normal file
3
changes/bug25249
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
o Minor bugfixes (spec conformance):
|
||||||
|
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||||
|
0.2.9.4-alpha.
|
3
changes/bug25249.2
Normal file
3
changes/bug25249.2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
o Minor bugfixes (spec conformance):
|
||||||
|
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||||
|
bugfix on 0.2.9.4-alpha.
|
6
changes/trove-2018-001.1
Normal file
6
changes/trove-2018-001.1
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
o Major bugfixes (denial-of-service, directory authority):
|
||||||
|
- Fix a protocol-list handling bug that could be used to remotely crash
|
||||||
|
directory authorities with a null-pointer exception. Fixes bug 25074;
|
||||||
|
bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001.
|
||||||
|
|
||||||
|
|
8
changes/trove-2018-004
Normal file
8
changes/trove-2018-004
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
o Minor bugfixes (denial-of-service):
|
||||||
|
- Fix a possible crash on malformed consensus. If a consensus had
|
||||||
|
contained an unparseable protocol line, it could have made clients
|
||||||
|
and relays crash with a null-pointer exception. To exploit this
|
||||||
|
issue, however, an attacker would need to be able to subvert the
|
||||||
|
directory-authority system. Fixes bug 25251; bugfix on
|
||||||
|
0.2.9.4-alpha. Also tracked as TROVE-2018-004.
|
||||||
|
|
@ -106,6 +106,9 @@ proto_entry_free_(proto_entry_t *entry)
|
|||||||
tor_free(entry);
|
tor_free(entry);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** The largest possible protocol version. */
|
||||||
|
#define MAX_PROTOCOL_VERSION (UINT32_MAX-1)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given a string <b>s</b> and optional end-of-string pointer
|
* Given a string <b>s</b> and optional end-of-string pointer
|
||||||
* <b>end_of_range</b>, parse the protocol range and store it in
|
* <b>end_of_range</b>, parse the protocol range and store it in
|
||||||
@ -126,9 +129,14 @@ parse_version_range(const char *s, const char *end_of_range,
|
|||||||
if (BUG(!end_of_range))
|
if (BUG(!end_of_range))
|
||||||
end_of_range = s + strlen(s); // LCOV_EXCL_LINE
|
end_of_range = s + strlen(s); // LCOV_EXCL_LINE
|
||||||
|
|
||||||
|
/* A range must start with a digit. */
|
||||||
|
if (!TOR_ISDIGIT(*s)) {
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
/* Note that this wouldn't be safe if we didn't know that eventually,
|
/* Note that this wouldn't be safe if we didn't know that eventually,
|
||||||
* we'd hit a NUL */
|
* we'd hit a NUL */
|
||||||
low = (uint32_t) tor_parse_ulong(s, 10, 0, UINT32_MAX, &ok, &next);
|
low = (uint32_t) tor_parse_ulong(s, 10, 0, MAX_PROTOCOL_VERSION, &ok, &next);
|
||||||
if (!ok)
|
if (!ok)
|
||||||
goto error;
|
goto error;
|
||||||
if (next > end_of_range)
|
if (next > end_of_range)
|
||||||
@ -141,13 +149,21 @@ parse_version_range(const char *s, const char *end_of_range,
|
|||||||
if (*next != '-')
|
if (*next != '-')
|
||||||
goto error;
|
goto error;
|
||||||
s = next+1;
|
s = next+1;
|
||||||
|
|
||||||
/* ibid */
|
/* ibid */
|
||||||
high = (uint32_t) tor_parse_ulong(s, 10, 0, UINT32_MAX, &ok, &next);
|
if (!TOR_ISDIGIT(*s)) {
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
high = (uint32_t) tor_parse_ulong(s, 10, 0,
|
||||||
|
MAX_PROTOCOL_VERSION, &ok, &next);
|
||||||
if (!ok)
|
if (!ok)
|
||||||
goto error;
|
goto error;
|
||||||
if (next != end_of_range)
|
if (next != end_of_range)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
|
if (low > high)
|
||||||
|
goto error;
|
||||||
|
|
||||||
done:
|
done:
|
||||||
*high_out = high;
|
*high_out = high;
|
||||||
*low_out = low;
|
*low_out = low;
|
||||||
@ -198,10 +214,6 @@ parse_single_entry(const char *s, const char *end_of_entry)
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (range->low > range->high) {
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
|
|
||||||
s = comma;
|
s = comma;
|
||||||
while (*s == ',' && s < end_of_entry)
|
while (*s == ',' && s < end_of_entry)
|
||||||
++s;
|
++s;
|
||||||
@ -596,6 +608,12 @@ protover_compute_vote(const smartlist_t *list_of_proto_strings,
|
|||||||
// First, parse the inputs and break them into singleton entries.
|
// First, parse the inputs and break them into singleton entries.
|
||||||
SMARTLIST_FOREACH_BEGIN(list_of_proto_strings, const char *, vote) {
|
SMARTLIST_FOREACH_BEGIN(list_of_proto_strings, const char *, vote) {
|
||||||
smartlist_t *unexpanded = parse_protocol_list(vote);
|
smartlist_t *unexpanded = parse_protocol_list(vote);
|
||||||
|
if (! unexpanded) {
|
||||||
|
log_warn(LD_NET, "I failed with parsing a protocol list from "
|
||||||
|
"an authority. The offending string was: %s",
|
||||||
|
escaped(vote));
|
||||||
|
continue;
|
||||||
|
}
|
||||||
smartlist_t *this_vote = expand_protocol_list(unexpanded);
|
smartlist_t *this_vote = expand_protocol_list(unexpanded);
|
||||||
if (this_vote == NULL) {
|
if (this_vote == NULL) {
|
||||||
log_warn(LD_NET, "When expanding a protocol list from an authority, I "
|
log_warn(LD_NET, "When expanding a protocol list from an authority, I "
|
||||||
@ -660,6 +678,11 @@ protover_all_supported(const char *s, char **missing_out)
|
|||||||
}
|
}
|
||||||
|
|
||||||
smartlist_t *entries = parse_protocol_list(s);
|
smartlist_t *entries = parse_protocol_list(s);
|
||||||
|
if (BUG(entries == NULL)) {
|
||||||
|
log_warn(LD_NET, "Received an unparseable protocol list %s"
|
||||||
|
" from the consensus", escaped(s));
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
missing = smartlist_new();
|
missing = smartlist_new();
|
||||||
|
|
||||||
|
@ -155,6 +155,70 @@ test_protover_vote(void *arg)
|
|||||||
tt_str_op(result, OP_EQ, "Bar=3-6,8 Foo=9");
|
tt_str_op(result, OP_EQ, "Bar=3-6,8 Foo=9");
|
||||||
tor_free(result);
|
tor_free(result);
|
||||||
|
|
||||||
|
/* High threshold */
|
||||||
|
result = protover_compute_vote(lst, 3);
|
||||||
|
tt_str_op(result, OP_EQ, "");
|
||||||
|
tor_free(result);
|
||||||
|
|
||||||
|
/* Bad votes: the result must be empty */
|
||||||
|
smartlist_clear(lst);
|
||||||
|
smartlist_add(lst, (void*) "Faux=10-5");
|
||||||
|
result = protover_compute_vote(lst, 1);
|
||||||
|
tt_str_op(result, OP_EQ, "");
|
||||||
|
tor_free(result);
|
||||||
|
|
||||||
|
/* This fails, since "-0" is not valid. */
|
||||||
|
smartlist_clear(lst);
|
||||||
|
smartlist_add(lst, (void*) "Faux=-0");
|
||||||
|
result = protover_compute_vote(lst, 1);
|
||||||
|
tt_str_op(result, OP_EQ, "");
|
||||||
|
tor_free(result);
|
||||||
|
|
||||||
|
/* Vote large protover lists that are just below the threshold */
|
||||||
|
|
||||||
|
/* Just below the threshold: Rust */
|
||||||
|
smartlist_clear(lst);
|
||||||
|
smartlist_add(lst, (void*) "Sleen=1-500");
|
||||||
|
result = protover_compute_vote(lst, 1);
|
||||||
|
tt_str_op(result, OP_EQ, "Sleen=1-500");
|
||||||
|
tor_free(result);
|
||||||
|
|
||||||
|
/* Just below the threshold: C */
|
||||||
|
smartlist_clear(lst);
|
||||||
|
smartlist_add(lst, (void*) "Sleen=1-65536");
|
||||||
|
result = protover_compute_vote(lst, 1);
|
||||||
|
tt_str_op(result, OP_EQ, "Sleen=1-65536");
|
||||||
|
tor_free(result);
|
||||||
|
|
||||||
|
/* Large protover lists that exceed the threshold */
|
||||||
|
|
||||||
|
/* By adding two votes, C allows us to exceed the limit */
|
||||||
|
smartlist_add(lst, (void*) "Sleen=1-65536");
|
||||||
|
smartlist_add(lst, (void*) "Sleen=100000");
|
||||||
|
result = protover_compute_vote(lst, 1);
|
||||||
|
tt_str_op(result, OP_EQ, "Sleen=1-65536,100000");
|
||||||
|
tor_free(result);
|
||||||
|
|
||||||
|
/* Large integers */
|
||||||
|
smartlist_clear(lst);
|
||||||
|
smartlist_add(lst, (void*) "Sleen=4294967294");
|
||||||
|
result = protover_compute_vote(lst, 1);
|
||||||
|
tt_str_op(result, OP_EQ, "Sleen=4294967294");
|
||||||
|
tor_free(result);
|
||||||
|
|
||||||
|
/* This parses, but fails at the vote stage */
|
||||||
|
smartlist_clear(lst);
|
||||||
|
smartlist_add(lst, (void*) "Sleen=4294967295");
|
||||||
|
result = protover_compute_vote(lst, 1);
|
||||||
|
tt_str_op(result, OP_EQ, "");
|
||||||
|
tor_free(result);
|
||||||
|
|
||||||
|
smartlist_clear(lst);
|
||||||
|
smartlist_add(lst, (void*) "Sleen=4294967296");
|
||||||
|
result = protover_compute_vote(lst, 1);
|
||||||
|
tt_str_op(result, OP_EQ, "");
|
||||||
|
tor_free(result);
|
||||||
|
|
||||||
done:
|
done:
|
||||||
tor_free(result);
|
tor_free(result);
|
||||||
smartlist_free(lst);
|
smartlist_free(lst);
|
||||||
@ -194,7 +258,36 @@ test_protover_all_supported(void *arg)
|
|||||||
tt_str_op(msg, OP_EQ, "Link=3-999");
|
tt_str_op(msg, OP_EQ, "Link=3-999");
|
||||||
tor_free(msg);
|
tor_free(msg);
|
||||||
|
|
||||||
|
/* CPU/RAM DoS loop: Rust only */
|
||||||
|
tt_assert(! protover_all_supported("Sleen=0-2147483648", &msg));
|
||||||
|
tt_str_op(msg, OP_EQ, "Sleen=0-2147483648");
|
||||||
|
tor_free(msg);
|
||||||
|
|
||||||
|
/* This case is allowed. */
|
||||||
|
tt_assert(! protover_all_supported("Sleen=0-4294967294", &msg));
|
||||||
|
tt_str_op(msg, OP_EQ, "Sleen=0-4294967294");
|
||||||
|
tor_free(msg);
|
||||||
|
|
||||||
|
/* If we get an unparseable list, we say "yes, that's supported." */
|
||||||
|
#ifndef HAVE_RUST
|
||||||
|
// XXXX let's make this section unconditional: rust should behave the
|
||||||
|
// XXXX same as C here!
|
||||||
|
tor_capture_bugs_(1);
|
||||||
|
tt_assert(protover_all_supported("Fribble", &msg));
|
||||||
|
tt_ptr_op(msg, OP_EQ, NULL);
|
||||||
|
tor_end_capture_bugs_();
|
||||||
|
|
||||||
|
/* This case is forbidden. Since it came from a protover_all_supported,
|
||||||
|
* it can trigger a bug message. */
|
||||||
|
tor_capture_bugs_(1);
|
||||||
|
tt_assert(protover_all_supported("Sleen=0-4294967295", &msg));
|
||||||
|
tt_ptr_op(msg, OP_EQ, NULL);
|
||||||
|
tor_free(msg);
|
||||||
|
tor_end_capture_bugs_();
|
||||||
|
#endif
|
||||||
|
|
||||||
done:
|
done:
|
||||||
|
tor_end_capture_bugs_();
|
||||||
tor_free(msg);
|
tor_free(msg);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -401,6 +494,83 @@ test_protover_supported_protocols(void *arg)
|
|||||||
;
|
;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
test_protover_vote_roundtrip(void *args)
|
||||||
|
{
|
||||||
|
(void) args;
|
||||||
|
static const struct {
|
||||||
|
const char *input;
|
||||||
|
const char *expected_output;
|
||||||
|
} examples[] = {
|
||||||
|
{ "Fkrkljdsf", NULL },
|
||||||
|
{ "Zn=4294967295", NULL },
|
||||||
|
{ "Zn=4294967295-1", NULL },
|
||||||
|
{ "Zn=4294967293-4294967295", NULL },
|
||||||
|
/* Will fail because of 4294967295. */
|
||||||
|
{ "Foo=1,3 Bar=3 Baz= Quux=9-12,14,15-16,900 Zn=0,4294967295",
|
||||||
|
NULL },
|
||||||
|
{ "Foo=1,3 Bar=3 Baz= Quux=9-12,14,15-16,900 Zn=0,4294967294",
|
||||||
|
"Bar=3 Foo=1,3 Quux=9-12,14-16,900 Zn=0,4294967294" },
|
||||||
|
{ "Zu16=0,65536", "Zu16=0,65536" },
|
||||||
|
{ "N-1=1,2", "N-1=1-2" },
|
||||||
|
{ "-1=4294967295", NULL },
|
||||||
|
{ "-1=3", "-1=3" },
|
||||||
|
/* junk. */
|
||||||
|
{ "!!3@*", NULL },
|
||||||
|
/* Missing equals sign */
|
||||||
|
{ "Link=4 Haprauxymatyve Desc=9", NULL },
|
||||||
|
{ "Link=4 Haprauxymatyve=7 Desc=9",
|
||||||
|
"Desc=9 Haprauxymatyve=7 Link=4" },
|
||||||
|
{ "=10-11", NULL },
|
||||||
|
{ "X=10-11", "X=10-11" },
|
||||||
|
{ "Link=4 =3 Desc=9", NULL },
|
||||||
|
{ "Link=4 Z=3 Desc=9", "Desc=9 Link=4 Z=3" },
|
||||||
|
{ "Link=fred", NULL },
|
||||||
|
{ "Link=1,fred", NULL },
|
||||||
|
{ "Link=1,fred,3", NULL },
|
||||||
|
{ "Link=1,9-8,3", NULL },
|
||||||
|
{ "Faux=-0", NULL },
|
||||||
|
{ "Faux=0--0", NULL },
|
||||||
|
// "These fail at the splitting stage in Rust, but the number parsing
|
||||||
|
// stage in C."
|
||||||
|
{ "Faux=-1", NULL },
|
||||||
|
{ "Faux=-1-3", NULL },
|
||||||
|
{ "Faux=1--1", NULL },
|
||||||
|
/* Large integers */
|
||||||
|
{ "Link=4294967296", NULL },
|
||||||
|
/* Large range */
|
||||||
|
{ "Sleen=1-501", "Sleen=1-501" },
|
||||||
|
{ "Sleen=1-65537", NULL },
|
||||||
|
/* CPU/RAM DoS Loop: Rust only. */
|
||||||
|
{ "Sleen=0-2147483648", NULL },
|
||||||
|
/* Rust seems to experience an internal error here. */
|
||||||
|
{ "Sleen=0-4294967295", NULL },
|
||||||
|
};
|
||||||
|
unsigned u;
|
||||||
|
smartlist_t *votes = smartlist_new();
|
||||||
|
char *result = NULL;
|
||||||
|
|
||||||
|
for (u = 0; u < ARRAY_LENGTH(examples); ++u) {
|
||||||
|
const char *input = examples[u].input;
|
||||||
|
const char *expected_output = examples[u].expected_output;
|
||||||
|
|
||||||
|
smartlist_add(votes, (void*)input);
|
||||||
|
result = protover_compute_vote(votes, 1);
|
||||||
|
if (expected_output != NULL) {
|
||||||
|
tt_str_op(result, OP_EQ, expected_output);
|
||||||
|
} else {
|
||||||
|
tt_str_op(result, OP_EQ, "");
|
||||||
|
}
|
||||||
|
|
||||||
|
smartlist_clear(votes);
|
||||||
|
tor_free(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
done:
|
||||||
|
smartlist_free(votes);
|
||||||
|
tor_free(result);
|
||||||
|
}
|
||||||
|
|
||||||
#define PV_TEST(name, flags) \
|
#define PV_TEST(name, flags) \
|
||||||
{ #name, test_protover_ ##name, (flags), NULL, NULL }
|
{ #name, test_protover_ ##name, (flags), NULL, NULL }
|
||||||
|
|
||||||
@ -413,6 +583,7 @@ struct testcase_t protover_tests[] = {
|
|||||||
PV_TEST(list_supports_protocol_returns_true, 0),
|
PV_TEST(list_supports_protocol_returns_true, 0),
|
||||||
PV_TEST(supports_version, 0),
|
PV_TEST(supports_version, 0),
|
||||||
PV_TEST(supported_protocols, 0),
|
PV_TEST(supported_protocols, 0),
|
||||||
|
PV_TEST(vote_roundtrip, 0),
|
||||||
END_OF_TESTCASES
|
END_OF_TESTCASES
|
||||||
};
|
};
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user