[tor-bugs] #22789 [Core Tor/Tor]: Tor 0.3.1.4-alpha crash on OpenBSD-current
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 4 08:59:33 UTC 2017
#22789: Tor 0.3.1.4-alpha crash on OpenBSD-current
-------------------------------------------------+-------------------------
Reporter: fredzupy | Owner:
Type: defect | Status:
| needs_review
Priority: High | Milestone: Tor:
| 0.3.1.x-final
Component: Core Tor/Tor | Version: Tor:
| 0.3.1.4-alpha
Severity: Major | Resolution:
Keywords: tor crash inet_pton c99 openbsd | Actual Points:
024-backport 025-backport 026-backport |
027-backport 028-backport 029-backport |
030-backport |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by cypherpunks):
Replying to [comment:18 fredzupy]:
> Replying to [comment:17 catalyst]:
> > My reading of C99 is that `strtol("0xquux", &next, 16)` must return
zero and `next` must point to the `x`. The optionality in paragraph 3 is
for the input data, not the implementation.
>
> Under Linux produce:
> l:0 rest:xquux
>
> Under OpenBSD produce:
> l:0 rest:0xquux
>
> The question is to know if the Tor code is good enough and OpenBSD need
to fix something or OpenBSD is sufficiently conformant and the Tor code
need to adapt.
>
I believe the OpenBSD result is correct according to the C99 text and
contradicts catalyst's statement. Because paragraph 7.20.1.4.7 states
> If the subject sequence is empty or does not have the expected form, no
conversion is performed; the value of nptr is stored in the object pointed
to by endptr, provided that endptr is not a null pointer.
With the example code, `nptr` does not have the expected form, so no
conversion is performed therefore `nptr == *endptr`. Furthermore,
paragraph 7.20.1.4.8 states
> The strtol, strtoll, strtoul, and strtoull functions return the
converted value, if any. If no conversion could be performed, zero is
returned. If the correct value is outside the range of representable
values, LONG_MIN, LONG_MAX, LLONG_MIN, LLONG_MAX, ULONG_MAX, or ULLONG_MAX
is returned (according to the return type and sign of the value, if any),
and the value of the macro ERANGE is stored in errno.
With the example code, `nptr` does not have the expected form, so no
conversion is performed therefore the return value is zero.
Combining these two together means that when the subject sequence is empty
or does not have the expected form, no conversion is performed and the
return value is zero and `nptr == *endptr`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22789#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list