Commit Graph

31076 Commits

Author SHA1 Message Date
Tobias Stoeckmann
9ce0bdd226 Prevent double free on huge files with 32 bit.
The function compat_getdelim_ is used for tor_getline if tor is compiled
on a system that lacks getline and getdelim. These systems should be
very rare, considering that getdelim is POSIX.

If this system is further a 32 bit architecture, it is possible to
trigger a double free with huge files.

If bufsiz has been already increased to 2 GB, the next chunk would
be 4 GB in size, which wraps around to 0 due to 32 bit limitations.

A realloc(*buf, 0) could be imagined as "free(*buf); return malloc(0);"
which therefore could return NULL. The code in question considers
that an error, but will keep the value of *buf pointing to already
freed memory.

The caller of tor_getline() would free the pointer again, therefore
leading to a double free.

This code can only be triggered in dirserv_read_measured_bandwidths
with a huge measured bandwith list file on a system that actually
allows to reach 2 GB of space through realloc.

It is not possible to trigger this on Linux with glibc or other major
*BSD systems even on unit tests, because these systems cannot reach
so much memory due to memory fragmentation.

This patch is effectively based on the penetration test report of
cure53 for curl available at https://cure53.de/pentest-report_curl.pdf
and explained under section "CRL-01-007 Double-free in aprintf() via
unsafe size_t multiplication (Medium)".
2019-04-10 12:46:27 +03:00
teor
12b9bfc05f
test: Also avoid reading the system default torrc in integration tests
Part of 29702.
2019-04-10 19:03:43 +10:00
rl1987
acec0192c3
Add changes file 2019-04-10 18:45:36 +10:00
rl1987
93dcfc6593
Use empty torrc file when launching tor in test_rebind.py 2019-04-10 18:45:21 +10:00
Nick Mathewson
9f3f99938e Actually I believe this should be an EINVAL. 2019-04-09 13:49:10 -04:00
Nick Mathewson
c24928dd8f Changes file for bug30041 2019-04-09 12:05:33 -04:00
Tobias Stoeckmann
a628e36024 Check return value of buf_move_to_buf for error.
If the concatenation of connection buffer and the buffer of linked
connection exceeds INT_MAX bytes, then buf_move_to_buf returns -1 as an
error value.

This value is currently casted to size_t (variable n_read) and will
erroneously lead to an increasement of variable "max_to_read".

This in turn can be used to call connection_buf_read_from_socket to
store more data inside the buffer than expected and clogging the
connection buffer.

If the linked connection buffer was able to overflow INT_MAX, the call
of buf_move_to_buf would have previously internally triggered an integer
overflow, corrupting the state of the connection buffer.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-04-09 12:05:22 -04:00
Tobias Stoeckmann
5a6ab3e7db Protect buffers against INT_MAX datalen overflows.
Many buffer functions have a hard limit of INT_MAX for datalen, but
this limitation is not enforced in all functions:

- buf_move_all may exceed that limit with too many chunks
- buf_move_to_buf exceeds that limit with invalid buf_flushlen argument
- buf_new_with_data may exceed that limit (unit tests only)

This patch adds some annotations in some buf_pos_t functions to
guarantee that no out of boundary access could occur even if another
function lacks safe guards against datalen overflows.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-04-09 12:05:14 -04:00
Nick Mathewson
c10011532e Changes file for bug30041 2019-04-09 12:03:22 -04:00
Tobias Stoeckmann
0fa95308fe Check return value of buf_move_to_buf for error.
If the concatenation of connection buffer and the buffer of linked
connection exceeds INT_MAX bytes, then buf_move_to_buf returns -1 as an
error value.

This value is currently casted to size_t (variable n_read) and will
erroneously lead to an increasement of variable "max_to_read".

This in turn can be used to call connection_buf_read_from_socket to
store more data inside the buffer than expected and clogging the
connection buffer.

If the linked connection buffer was able to overflow INT_MAX, the call
of buf_move_to_buf would have previously internally triggered an integer
overflow, corrupting the state of the connection buffer.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-04-09 12:00:14 -04:00
Tobias Stoeckmann
74b2bc43fb Protect buffers against INT_MAX datalen overflows.
Many buffer functions have a hard limit of INT_MAX for datalen, but
this limitation is not enforced in all functions:

- buf_move_all may exceed that limit with too many chunks
- buf_move_to_buf exceeds that limit with invalid buf_flushlen argument
- buf_new_with_data may exceed that limit (unit tests only)

This patch adds some annotations in some buf_pos_t functions to
guarantee that no out of boundary access could occur even if another
function lacks safe guards against datalen overflows.

  [This is a backport of the submitted patch to 0.2.9, where the
  buf_move_to_buf and buf_new_with_data functions did not exist.]
2019-04-09 11:59:20 -04:00
Nick Mathewson
a63bd87760 Detect and suppress an additional gmtime() warning in test_util.c
Fixes bug 29922; bugfix on 0.2.9.3-alpha when we tried to capture
all these warnings.  No need to backport any farther than 0.3.5,
though -- these warnings don't cause test failures before then.

This one was tricky to find because apparently it only happened on
_some_ windows builds.
2019-04-08 17:02:14 -04:00
teor
4dd96f7444
changes: Ticket 29241 is actually a bug on NSS in 0.3.5.1-alpha 2019-04-06 11:07:20 +10:00
Nick Mathewson
5cb94cbf9d
NSS: disable TLS1.2 SHA-384 ciphersuites.
In current NSS versions, these ciphersuites don't work with
SSL_ExportKeyingMaterial(), which was causing relays to fail when
they tried to negotiate the v3 link protocol authentication.

Fixes bug 29241; bugfix on 0.4.0.1-alpha.
2019-04-06 11:06:34 +10:00
Nick Mathewson
680fd3f8fb
NSS: Log an error message when SSL_ExportKeyingMaterial() fails
Diagnostic for 29241.
2019-04-06 11:06:22 +10:00
teor
3b9e3cca94
Merge branch 'maint-0.3.4' into maint-0.3.5 2019-04-06 09:33:20 +10:00
teor
48e990359b
Merge branch 'maint-0.2.9' into maint-0.3.4 2019-04-06 09:33:11 +10:00
teor
316aed502e
Merge remote-tracking branch 'tor-github/pr/898' into maint-0.3.5 2019-04-06 09:32:53 +10:00
teor
ea5e371822
Merge remote-tracking branch 'tor-github/pr/903' into maint-0.3.5 2019-04-06 09:31:52 +10:00
teor
44ea341117
Merge remote-tracking branch 'tor-github/pr/879' into maint-0.3.5 2019-04-06 09:30:52 +10:00
teor
102178e6d4
Merge remote-tracking branch 'tor-github/pr/878' into maint-0.3.4 2019-04-06 09:30:04 +10:00
teor
a0db5ade3e
Merge remote-tracking branch 'tor-github/pr/902' into maint-0.2.9 2019-04-06 09:28:58 +10:00
teor
e1955a2c54
Merge remote-tracking branch 'tor-github/pr/877' into maint-0.2.9 2019-04-06 09:28:13 +10:00
teor
db71bceb40
Merge branch 'bug29036-29962-034' into bug29036-29962-035 2019-04-05 12:58:32 +10:00
teor
a514e02476
Merge branch 'bug29036-029' into bug29036-29962-034 2019-04-05 12:58:16 +10:00
teor
f0cd8f804f
Makefile: actually, don't delete the gcno files
We need to keep the gcno files, because they are created at compile time.
2019-04-05 12:56:29 +10:00
Nick Mathewson
db1c1dba34 Merge branch 'bug30021_029' into bug30021_035 2019-04-04 11:26:33 -04:00
Nick Mathewson
1710f4bbd6 Do not cache bogus results from classifying client ciphers
When classifying a client's selection of TLS ciphers, if the client
ciphers are not yet available, do not cache the result. Previously,
we had cached the unavailability of the cipher list and never looked
again, which in turn led us to assume that the client only supported
the ancient V1 link protocol.  This, in turn, was causing Stem
integration tests to stall in some cases.  Fixes bug 30021; bugfix
on 0.2.4.8-alpha.
2019-04-04 11:24:55 -04:00
teor
3fa42d599a
Travis: Terminate test-stem if it takes more than 9.5 minutes to run
(Travis terminates the job after 10 minutes of no output.)

Diagnostic for 29437.

Fixes bug 30011; bugfix on 0.3.5.4-alpha.
2019-04-04 13:21:35 +10:00
Nick Mathewson
4aa02d3c7a Merge branch 'maint-0.3.4' into maint-0.3.5 2019-04-03 09:27:43 -04:00
Nick Mathewson
3cfcfbac46 Merge branch 'maint-0.2.9' into maint-0.3.4 2019-04-03 09:27:42 -04:00
Karsten Loesing
54e249e269 Update geoip and geoip6 to the April 2 2019 database. 2019-04-03 09:26:28 +02:00
teor
0418d4081a
Merge branch 'maint-0.3.4' into maint-0.3.5 2019-04-02 11:45:22 +10:00
teor
74775b2dfd
Merge branch 'maint-0.2.9' into maint-0.3.4 2019-04-02 11:45:13 +10:00
teor
7014e57f4a
Merge branch 'bug29036-29962-034' into bug29036-29962-035
Merge the moved coverage line from 29036 with the stem changes in
maint-0.3.5.
2019-04-01 14:11:20 +10:00
teor
33be8d8295
Travis: merge before_cache from 29036 and 29962
And add some useful comments
2019-04-01 14:08:34 +10:00
rl1987
124990aa01
Add changes file 2019-04-01 14:08:24 +10:00
rl1987
0c6cfd9c65
Cleanup cargo registry before each Rust-enabled build
Also, refrain from caching target/.

See: https://levans.fr/rust_travis_cache.html
2019-04-01 14:08:12 +10:00
teor
ac28e56ccb
Merge branch 'bug29036-029' into bug29036-29962-034 2019-04-01 14:07:58 +10:00
teor
57e9fe2bba
Makefile: delete all the gcov-related files in reset-gcov
And fix a comment.

See:
https://gcc.gnu.org/onlinedocs/gcc/Gcov-Data-Files.html#Gcov-Data-Files
2019-04-01 14:06:52 +10:00
teor
eb0bd18d6e
changes: Use the first Tor version with CI coverage for the 29036 changes file
Otherwise, "make check-changes" will complain when we backport the change.
2019-04-01 13:40:16 +10:00
teor
3280e9a116
Merge branch 'maint-0.3.4' into maint-0.3.5 2019-03-27 10:02:40 +10:00
teor
6d057c56f1
Merge remote-tracking branch 'tor-github/pr/820' into maint-0.3.4 2019-03-27 10:01:45 +10:00
rl1987
669ec64325
Fix CID 1444119
Let's use the same function exit point for BUG() codepath that we're using
for every other exit condition. That way, we're not forgetting to clean up
the memarea.
2019-03-26 12:24:45 +10:00
teor
f7688cb179
test: Backport the 0.3.4 src/test/test-network.sh to 0.2.9
We need a recent test-network.sh to use new chutney features in CI.

Fixes bug 29703; bugfix on 0.2.9.1-alpha.
2019-03-22 13:20:23 +10:00
teor
091f8688b8
test/dir: add an extra argument to dirserv_read_measured_bandwidths()
Part of 29806.
2019-03-21 12:56:28 +10:00
teor
3adb689fbc
Merge branch 'ticket29806_034_squashed' into ticket29806_035_squashed_merged
Copy and paste the vote=0 code from the old src/or/dirserv.c
to the new src/feature/dirauth/bwauth.c.
2019-03-21 12:04:30 +10:00
juga0
4ab2e9a599
bwauth: Ignore bandwidth file lines with "vote=0"
so that the relays that would be "excluded" from the bandwidth
file because of something failed can be included to diagnose what
failed, without still including these relays in the bandwidth
authorities vote.

Closes #29806.
2019-03-21 12:00:45 +10:00
Alexander Færøy
fbb1c7adfc Handle errors from coveralls more gracefully.
Since we have moved coveralls to the script target the entire build will
now fail if coveralls fail. We handle it more gracefully by echo'ing the
failure instead of doing a hard-failure.

See: https://bugs.torproject.org/29036
2019-03-20 15:44:06 +01:00
Alexander Færøy
0267c453e2 Run make reset-gcov after the script target in Travis CI is done.
This should ensure that GCDA files are never entering the cache of
Travis CI.

See: https://bugs.torproject.org/29036
2019-03-20 15:22:39 +01:00