[or-cvs] r19251: {tor} Partial backport for the relevant parts of 19250 (in tor/branches/tor-0_2_0-patches: . src/or)

nickm at seul.org nickm at seul.org
Thu Apr 9 20:00:43 UTC 2009 

Author: nickm
Date: 2009-04-09 16:00:43 -0400 (Thu, 09 Apr 2009)
New Revision: 19251

Modified:
   tor/branches/tor-0_2_0-patches/ChangeLog
   tor/branches/tor-0_2_0-patches/src/or/routerparse.c
Log:
Partial backport for the relevant parts of 19250

Modified: tor/branches/tor-0_2_0-patches/ChangeLog
===================================================================
--- tor/branches/tor-0_2_0-patches/ChangeLog	2009-04-09 19:58:16 UTC (rev 19250)
+++ tor/branches/tor-0_2_0-patches/ChangeLog	2009-04-09 20:00:43 UTC (rev 19251)
@@ -1,4 +1,8 @@
 Changes in version 0.3.0.35 - 2009-??-??
+  o Security fix:
+    - Avoid crashing in the presence of certain malformed descriptors.
+      Found by lark, and by automated fuzzing.
+
   o Minor bugfixes:
     - When starting with a cache over a few days old, do not leak
       memory for the obsolete router descriptors in it.  Bugfix on

Modified: tor/branches/tor-0_2_0-patches/src/or/routerparse.c
===================================================================
--- tor/branches/tor-0_2_0-patches/src/or/routerparse.c	2009-04-09 19:58:16 UTC (rev 19250)
+++ tor/branches/tor-0_2_0-patches/src/or/routerparse.c	2009-04-09 20:00:43 UTC (rev 19251)
@@ -378,7 +378,7 @@
 
   T0N("opt",                 K_OPT,             CONCAT_ARGS, OBJ_OK ),
 
-  T1N("dir-source",          K_DIR_SOURCE,          GE(3),   NO_OBJ ),
+  T1N("dir-source",          K_DIR_SOURCE,          GE(6),   NO_OBJ ),
   T1N("contact",             K_CONTACT,         CONCAT_ARGS, NO_OBJ ),
   T1N("vote-digest",         K_VOTE_DIGEST,         GE(1),   NO_OBJ ),
 
@@ -2212,7 +2212,7 @@
         base16_decode(voter->vote_digest, sizeof(voter->vote_digest),
                       tok->args[0], HEX_DIGEST_LEN) < 0) {
         log_warn(LD_DIR, "Error decoding vote digest %s in "
-                 "network-status consensus.", escaped(tok->args[1]));
+                 "network-status consensus.", escaped(tok->args[0]));
         goto err;
       }
     }
@@ -2825,8 +2825,7 @@
     goto check_object;
 
   obstart = *s; /* Set obstart to start of object spec */
-  tor_assert(eol >= (*s+16));
-  if (*s+11 >= eol-5 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
+  if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
       strcmp_len(eol-5, "-----", 5)) {          /* nuls or invalid endings */
     RET_ERR("Malformed object: bad begin line");
   }

More information about the tor-commits mailing list