Commit Graph

11118 Commits

Author SHA1 Message Date
Nick Mathewson
2ce132e335 Oops, here's the *REAL* fix for the ipv6 issue
We need to _REJECT_ descriptors with accept6/reject6 lines.  If we
let them onto the network , other un-upgraded tors will crash.
2011-03-06 13:41:55 -05:00
Nick Mathewson
3da0837b0b Revert "Disallow reject6 and accept6 lines in descriptors"
This reverts commit b3918b3bbb.
2011-03-06 13:26:38 -05:00
Nick Mathewson
8b01fd7bad exit_policy_is_general_exit is IPv4 only; it should admit it. 2011-03-06 13:16:53 -05:00
Nick Mathewson
fb421c0005 Changes file for ipv6 parsing issue 2011-03-06 13:15:32 -05:00
Sebastian Hahn
b3918b3bbb Disallow reject6 and accept6 lines in descriptors
This fixes a remotely triggerable assert on directory authorities, who
don't handle descriptors with ipv6 contents well yet. We will want to
revert this once we're ready to handle ipv6.

Issue raised by lorth on #tor, who wasn't able to use Tor anymore.
Analyzed with help from Christian Fromme. Fix suggested by arma. Bugfix
on 0.2.1.3-alpha.
2011-03-06 18:20:28 +01:00
Nick Mathewson
10ad3442e1 Remove doc/spec/Makefile.in from list of generated files 2011-02-22 17:51:03 -05:00
Nick Mathewson
491abbc65e Merge remote branch 'public/bug1859_021' into maint-0.2.1 2011-02-22 17:19:41 -05:00
Nick Mathewson
7605985b3f Merge remote branch 'public/bug2402_nothing' into maint-0.2.1 2011-02-22 15:54:13 -05:00
Roger Dingledine
372773d681 changes file for removing torspec from the tarball 2011-02-22 14:50:00 -05:00
Roger Dingledine
0ab62a4dc5 prefer https urls 2011-02-22 14:39:09 -05:00
Nick Mathewson
7bdb7d4811 Remove specs from 0.2.1 branch: they have moved to a new repository. 2011-02-21 16:02:16 -05:00
Roger Dingledine
28de4d83fd fix the other half of bug 1074 2011-02-10 17:11:06 -05:00
Nick Mathewson
50c259d763 Make the DH parameter we use for TLS match the one from Apache's mod_ssl
Our regular DH parameters that we use for circuit and rendezvous
crypto are unchanged.  This is yet another small step on the path of
protocol fingerprinting resistance.

(Backport from 0.2.2's 5ed73e3807)
2011-02-10 15:55:06 -05:00
Robert Ransom
5fc6967956 Update documentation for PublishServerDescriptor 2011-02-09 02:33:24 -08:00
Robert Ransom
7bf06d4a4f Ignore and warn about "PublishServerDescriptor hidserv"
Fixes #2408.
2011-02-09 02:33:24 -08:00
Roger Dingledine
bcbcda309a move the clause above the "if bw is too low" check 2011-02-07 23:22:45 -05:00
Roger Dingledine
20b75989ac dtrt when only relaybandwidthburst is set
fixes bug 2470
2011-02-07 23:21:33 -05:00
Karsten Loesing
9c2cb6fc89 Update to the February 1 2011 Maxmind GeoLite Country database. 2011-02-07 22:19:37 -05:00
Andrew Lewman
741ef2a8cd fix the links in the exit-list notice we give out to users. 2011-01-26 11:15:09 -05:00
Nick Mathewson
ebb287c75d Backport current tor-exit-notice to 0.2.1 2011-01-26 11:15:09 -05:00
Nick Mathewson
a1073ee956 Simplest fix to bug2402: do not include SVN versions
When we stopped using svn, 0.2.1.x lost the ability to notice its svn
revision and report it in the version number.  However, it kept
looking at the micro-revision.i file... so if you switched to master,
built tor, then switched to 0.2.1.x, you'd get a micro-revision.i file
from master reported as an SVN tag.  This patch takes out the "include
the svn tag" logic entirely.

Bugfix on 0.2.1.15-rc; fixes bug 2402.
2011-01-25 14:08:13 -05:00
Nick Mathewson
1471e57743 Merge remote branch 'rransom/policy_summarize-assert' into maint-0.2.1 2011-01-20 14:59:23 -05:00
Robert Ransom
43414eb988 Fix bounds-checking in policy_summarize
Found by piebeer.
2011-01-20 11:17:57 -08:00
Nick Mathewson
c8f94eed12 Oops; actually add the code to the last patch. :/ 2011-01-19 13:25:17 -05:00
Nick Mathewson
971e83ef9c Fix two more SIZE_T_CEILING issues
This patch imposes (very long) limits on the length of a line in a
directory document, and on the length of a certificate.  I don't
think it should actually be possible to overrun these remotely,
since we already impose a maximum size on any directory object we're
downloading, but a little defensive programming never hurt anybody.

Roger emailed me that doorss reported these on IRC, but nobody seems
to have put them on the bugtracker.
2011-01-19 13:22:50 -05:00
Roger Dingledine
8875a028a7 be the winner, rewrite history 2011-01-18 19:12:01 -05:00
Roger Dingledine
5110490253 0.2.1.29 changelog and blurb 2011-01-15 19:56:10 -05:00
Nick Mathewson
ef6fa07e48 Fix a couple of non-cleared key issues in hidden services
we need to do more hunting, but this fixes the ones mentioned in 2385.
2011-01-15 14:10:54 -05:00
Nick Mathewson
9b09627edd Zero out some more key data before freeing it
Found by cypherpunks; fixes bug 2384.
2011-01-15 14:10:52 -05:00
Nick Mathewson
b97b0efec8 Merge branch 'bug2352_obsize' into maint-0.2.1 2011-01-15 13:15:06 -05:00
Nick Mathewson
31b562e10a Add missing check for hostname answer_len in dnsserv size
This is checked elsewhere too, but let's be RFC-conformant.
2011-01-15 13:09:12 -05:00
Nick Mathewson
c2aa2db8b5 Merge branch 'bug2332_part2' into maint-0.2.1 2011-01-15 12:43:02 -05:00
Nick Mathewson
8f11642ceb Merge branch 'bug2324_uncompress' into maint-0.2.1 2011-01-15 12:12:34 -05:00
Nick Mathewson
1fcfc18628 clean up message; explain a magic number in a comment 2011-01-15 12:12:10 -05:00
Nick Mathewson
50b06a2b76 make the description of tolen_asserts more dire
We have a CVE # for this bug.
2011-01-15 11:49:26 -05:00
Nick Mathewson
115782bdbe Fix a heap overflow found by debuger, and make it harder to make that mistake again
Our public key functions assumed that they were always writing into a
large enough buffer.  In one case, they weren't.

(Incorporates fixes from sebastian)
2011-01-15 11:49:25 -05:00
Nick Mathewson
a16902b9d4 Always nul-terminate the result passed to evdns_server_add_ptr_reply
In dnsserv_resolved(), we carefully made a nul-terminated copy of the
answer in a PTR RESOLVED cell... then never used that nul-terminated
copy.  Ouch.

Surprisingly this one isn't as huge a security problem as it could be.
The only place where the input to dnsserv_resolved wasn't necessarily
nul-terminated was when it was called indirectly from relay.c with the
contents of a relay cell's payload.  If the end of the payload was
filled with junk, eventdns.c would take the strdup() of the name [This
part is bad; we might crash there if the cell is in a bad part of the
stack or the heap] and get a name of at least length
495[*]. eventdns.c then rejects any name of length over 255, so the
bogus data would be neither transmitted nor altered.

  [*] If the name was less than 495 bytes long, the client wouldn't
     actually be reading off the end of the cell.

Nonetheless this is a reasonably annoying bug.  Better fix it.

Found while looking at bug 2332, reported by doorss.  Bugfix on
0.2.0.1-alpha.
2011-01-15 11:49:25 -05:00
Nick Mathewson
1f3b442023 catch another overlong malloc possibility. found by cypherpunks 2011-01-15 10:42:11 -05:00
Nick Mathewson
9fcc14224b Make our replacement INT32_MAX always signed
The C standard says that INT32_MAX is supposed to be a signed
integer.  On platforms that have it, we get the correct
platform-defined value.  Our own replacement, however, was
unsigned.  That's going to cause a bug somewhere eventually.
2011-01-12 14:29:38 -05:00
Nick Mathewson
bd67b23fec Always nul-terminate the result passed to evdns_server_add_ptr_reply
In dnsserv_resolved(), we carefully made a nul-terminated copy of the
answer in a PTR RESOLVED cell... then never used that nul-terminated
copy.  Ouch.

Surprisingly this one isn't as huge a security problem as it could be.
The only place where the input to dnsserv_resolved wasn't necessarily
nul-terminated was when it was called indirectly from relay.c with the
contents of a relay cell's payload.  If the end of the payload was
filled with junk, eventdns.c would take the strdup() of the name [This
part is bad; we might crash there if the cell is in a bad part of the
stack or the heap] and get a name of at least length
495[*]. eventdns.c then rejects any name of length over 255, so the
bogus data would be neither transmitted nor altered.

  [*] If the name was less than 495 bytes long, the client wouldn't
     actually be reading off the end of the cell.

Nonetheless this is a reasonably annoying bug.  Better fix it.

Found while looking at bug 2332, reported by doorss.  Bugfix on
0.2.0.1-alpha.
2011-01-10 16:33:48 -05:00
Nick Mathewson
373a1bc40e Impose maximum sizes on parsed objects
An object, you'll recall, is something between -----BEGIN----- and
-----END----- tags in a directory document.  Some of our code, as
doorss has noted in bug 2352, could assert if one of these ever
overflowed SIZE_T_CEILING but not INT_MAX.  As a solution, I'm setting
a maximum size on a single object such that neither of these limits
will ever be hit.  I'm also fixing the INT_MAX checks, just to be sure.
2011-01-10 12:12:11 -05:00
Nick Mathewson
729f404efe Add logic in routerparse to not read overlong private keys
I am not at all sure that it is possible to trigger a bug here,
but better safe than sorry.
2011-01-10 12:07:34 -05:00
Karsten Loesing
d43cba6c69 Update to the January 1 2011 Maxmind GeoLite Country database. 2011-01-10 10:37:54 +01:00
Nick Mathewson
045e6ebd31 Remove a loud info log message 2011-01-07 22:03:22 -05:00
Nick Mathewson
0a35ac6a22 Correctly detect and exclude addresses outside of our virtual address range
Found by cypherpunks; fixes more of 2328.  Bug was introduced in 3623a122;
first appeared in 0.2.0.5-alpha.
2011-01-07 12:24:36 -05:00
Nick Mathewson
d6b49c55c5 Merge branch 'bug2328_021' into maint-0.2.1 2011-01-06 13:36:29 -05:00
Nick Mathewson
2008728df7 Notice a little faster if we're running out of virtual addresses
We were not decrementing "available" every time we did
++next_virtual_addr in addressmap_get_virtual_address: we left out the
--available when we skipped .00 and .255 addresses.

This didn't actually cause a bug in most cases, since the failure mode
was to keep looping around the virtual addresses until we found one,
or until available hit zero.  It could have given you an infinite loop
rather than a useful message, however, if you said "VirtualAddrNetwork
127.0.0.255/32" or something broken like that.

Spotted by cypherpunks
2011-01-06 13:29:36 -05:00
Nick Mathewson
eabddd8ca0 Handle a NULL return from addressmap_get_virtual_address
Fix for bug 2328; bugfix on 0.1.2.1-alpha; bug found by doorss.
2011-01-05 16:36:48 -05:00
Nick Mathewson
31d6659d97 Fix a double-counting bug in addrmap_get_virtual_address
We were decrementing "available" twice for each in-use address we ran
across.  This would make us declare that we ran out of virtual
addresses when the address space was only half full.
2011-01-05 16:02:43 -05:00
Nick Mathewson
d14b0d54d2 Fix a SIZE_T_CEILING check in torgzip.c; noticed by cypherpunks 2011-01-05 12:42:34 -05:00