[tor-commits] [tor/master] Scale IPv6 address counts in policy_summary_reject to avoid overflow

nickm at torproject.org nickm at torproject.org
Wed Feb 1 14:55:10 UTC 2017


commit 408c53b7a78767e04124fec4c4d470fe474e4906
Author: teor <teor2345 at gmail.com>
Date:   Wed Feb 1 15:31:33 2017 +1100

    Scale IPv6 address counts in policy_summary_reject to avoid overflow
    
    This disregards anything smaller than an IPv6 /64, and rejects ports that
    are rejected on an IPv6 /16 or larger.
    
    Adjust existing unit tests, and add more to cover exceptional cases.
    
    No IPv4 behaviour changes.
    
    Fixes bug 21357
---
 src/or/policies.c      | 35 +++++++++++++++++++++++++++++------
 src/test/test_policy.c | 42 ++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 69 insertions(+), 8 deletions(-)

diff --git a/src/or/policies.c b/src/or/policies.c
index cac475d..6037ee3 100644
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -2300,15 +2300,24 @@ policy_summary_item_split(policy_summary_item_t* old, uint16_t new_starts)
 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
 
 #define IPV4_BITS                (32)
+/* Every IPv4 address is counted as one rejection */
+#define REJECT_CUTOFF_SCALE_IPV4 (0)
 /* Ports are rejected in an IPv4 summary if they are rejected in more than two
  * IPv4 /8 address blocks */
 #define REJECT_CUTOFF_COUNT_IPV4 (U64_LITERAL(1) << \
-                                  (IPV4_BITS - 7))
+                                  (IPV4_BITS - REJECT_CUTOFF_SCALE_IPV4 - 7))
 
 #define IPV6_BITS                (128)
-/* Ports are rejected in an IPv6 summary if they are rejected in at least one
- * IPv6 /64. */
-#define REJECT_CUTOFF_COUNT_IPV6 (UINT64_MAX)
+/* IPv6 /64s are counted as one rejection, anything smaller is ignored */
+#define REJECT_CUTOFF_SCALE_IPV6 (64)
+/* Ports are rejected in an IPv6 summary if they are rejected in more than one
+ * IPv6 /16 address block.
+ * This is rougly equivalent to the IPv4 cutoff, as only five IPv6 /12s (and
+ * some scattered smaller blocks) have been allocated to the RIRs.
+ * Network providers are typically allocated one or more IPv6 /32s.
+ */
+#define REJECT_CUTOFF_COUNT_IPV6 (U64_LITERAL(1) << \
+                                  (IPV6_BITS - REJECT_CUTOFF_SCALE_IPV6 - 16))
 
 /** Split an exit policy summary so that prt_min and prt_max
  * fall at exactly the start and end of an item respectively.
@@ -2381,14 +2390,28 @@ policy_summary_reject(smartlist_t *summary,
   int addrbits = (family == AF_INET) ? IPV4_BITS : IPV6_BITS;
   tor_assert_nonfatal_once(addrbits >= maskbits);
 
+  /* We divide IPv6 address counts by (1 << scale) to keep them in a uint64_t
+   */
+  int scale = ((family == AF_INET) ?
+               REJECT_CUTOFF_SCALE_IPV4 :
+               REJECT_CUTOFF_SCALE_IPV6);
+
+  tor_assert_nonfatal_once(addrbits >= scale);
+  if (maskbits > (addrbits - scale)) {
+    tor_assert_nonfatal_once(family == AF_INET6);
+    /* The address range is so small, we'd need billions of them to reach the
+     * rejection limit. So we ignore this range in the reject count. */
+    return;
+  }
+
   uint64_t count = 0;
-  if (addrbits - maskbits >= 64) {
+  if (addrbits - scale - maskbits >= 64) {
     tor_assert_nonfatal_once(family == AF_INET6);
     /* The address range is so large, it's an automatic rejection for all ports
      * in the range. */
     count = UINT64_MAX;
   } else {
-    count = (U64_LITERAL(1) << (addrbits - maskbits));
+    count = (U64_LITERAL(1) << (addrbits - scale - maskbits));
   }
   tor_assert_nonfatal_once(count > 0);
   while (i < smartlist_len(summary) &&
diff --git a/src/test/test_policy.c b/src/test/test_policy.c
index fb7195a..f2d42b9 100644
--- a/src/test/test_policy.c
+++ b/src/test/test_policy.c
@@ -594,13 +594,51 @@ test_policies_general(void *arg)
   /* short policy with configured netblocks */
   test_policy_summary_helper("reject 149.56.0.0/16,"
                              "reject6 2607:5300::/32,"
+                             "reject6 2608:5300::/64,"
+                             "reject6 2609:5300::/96,"
+                             "accept *:80,"
+                             "accept *:443,"
+                             "reject *:*",
+                             "accept 80,443");
+  /* short policy with large netblocks that do not count as a rejection */
+  test_policy_summary_helper("reject 148.0.0.0/7,"
+                             "reject6 2600::/16,"
                              "accept *:80,"
                              "accept *:443,"
                              "reject *:*",
                              "accept 80,443");
   /* short policy with large netblocks that count as a rejection */
-  test_policy_summary_helper("reject 149.0.0.0/6,"
-                             "reject6 2600::/6,"
+  test_policy_summary_helper("reject 148.0.0.0/6,"
+                             "reject6 2600::/15,"
+                             "accept *:80,"
+                             "accept *:443,"
+                             "reject *:*",
+                             "reject 1-65535");
+  /* short policy with huge netblocks that count as a rejection */
+  test_policy_summary_helper("reject 128.0.0.0/1,"
+                             "reject6 8000::/1,"
+                             "accept *:80,"
+                             "accept *:443,"
+                             "reject *:*",
+                             "reject 1-65535");
+  /* short policy which blocks everything using netblocks */
+  test_policy_summary_helper("reject 0.0.0.0/0,"
+                             "reject6 ::/0,"
+                             "accept *:80,"
+                             "accept *:443,"
+                             "reject *:*",
+                             "reject 1-65535");
+  /* short policy which has repeated redundant netblocks */
+  test_policy_summary_helper("reject 0.0.0.0/0,"
+                             "reject 0.0.0.0/0,"
+                             "reject 0.0.0.0/0,"
+                             "reject 0.0.0.0/0,"
+                             "reject 0.0.0.0/0,"
+                             "reject6 ::/0,"
+                             "reject6 ::/0,"
+                             "reject6 ::/0,"
+                             "reject6 ::/0,"
+                             "reject6 ::/0,"
                              "accept *:80,"
                              "accept *:443,"
                              "reject *:*",





More information about the tor-commits mailing list