diff --git a/changes/bug25249 b/changes/bug25249
new file mode 100644
index 0000000000..b4153eeaef
--- /dev/null
+++ b/changes/bug25249
@@ -0,0 +1,3 @@
+ o Minor bugfixes (spec conformance):
+ - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
+ 0.2.9.4-alpha.
diff --git a/changes/bug25249.2 b/changes/bug25249.2
new file mode 100644
index 0000000000..9058c11071
--- /dev/null
+++ b/changes/bug25249.2
@@ -0,0 +1,3 @@
+ o Minor bugfixes (spec conformance):
+ - Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
+ bugfix on 0.2.9.4-alpha.
diff --git a/changes/trove-2018-001.1 b/changes/trove-2018-001.1
new file mode 100644
index 0000000000..f0ee92f409
--- /dev/null
+++ b/changes/trove-2018-001.1
@@ -0,0 +1,6 @@
+ o Major bugfixes (denial-of-service, directory authority):
+ - Fix a protocol-list handling bug that could be used to remotely crash
+ directory authorities with a null-pointer exception. Fixes bug 25074;
+ bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001.
+
+
diff --git a/changes/trove-2018-004 b/changes/trove-2018-004
new file mode 100644
index 0000000000..37e0a89b0d
--- /dev/null
+++ b/changes/trove-2018-004
@@ -0,0 +1,8 @@
+ o Minor bugfixes (denial-of-service):
+ - Fix a possible crash on malformed consensus. If a consensus had
+ contained an unparseable protocol line, it could have made clients
+ and relays crash with a null-pointer exception. To exploit this
+ issue, however, an attacker would need to be able to subvert the
+ directory-authority system. Fixes bug 25251; bugfix on
+ 0.2.9.4-alpha. Also tracked as TROVE-2018-004.
+
diff --git a/src/or/protover.c b/src/or/protover.c
index 41b50df87f..cb168085c6 100644
--- a/src/or/protover.c
+++ b/src/or/protover.c
@@ -106,6 +106,9 @@ proto_entry_free_(proto_entry_t *entry)
tor_free(entry);
}
+/** The largest possible protocol version. */
+#define MAX_PROTOCOL_VERSION (UINT32_MAX-1)
+
/**
* Given a string s and optional end-of-string pointer
* end_of_range, parse the protocol range and store it in
@@ -126,9 +129,14 @@ parse_version_range(const char *s, const char *end_of_range,
if (BUG(!end_of_range))
end_of_range = s + strlen(s); // LCOV_EXCL_LINE
+ /* A range must start with a digit. */
+ if (!TOR_ISDIGIT(*s)) {
+ goto error;
+ }
+
/* Note that this wouldn't be safe if we didn't know that eventually,
* we'd hit a NUL */
- low = (uint32_t) tor_parse_ulong(s, 10, 0, UINT32_MAX, &ok, &next);
+ low = (uint32_t) tor_parse_ulong(s, 10, 0, MAX_PROTOCOL_VERSION, &ok, &next);
if (!ok)
goto error;
if (next > end_of_range)
@@ -141,13 +149,21 @@ parse_version_range(const char *s, const char *end_of_range,
if (*next != '-')
goto error;
s = next+1;
+
/* ibid */
- high = (uint32_t) tor_parse_ulong(s, 10, 0, UINT32_MAX, &ok, &next);
+ if (!TOR_ISDIGIT(*s)) {
+ goto error;
+ }
+ high = (uint32_t) tor_parse_ulong(s, 10, 0,
+ MAX_PROTOCOL_VERSION, &ok, &next);
if (!ok)
goto error;
if (next != end_of_range)
goto error;
+ if (low > high)
+ goto error;
+
done:
*high_out = high;
*low_out = low;
@@ -198,10 +214,6 @@ parse_single_entry(const char *s, const char *end_of_entry)
goto error;
}
- if (range->low > range->high) {
- goto error;
- }
-
s = comma;
while (*s == ',' && s < end_of_entry)
++s;
@@ -596,6 +608,12 @@ protover_compute_vote(const smartlist_t *list_of_proto_strings,
// First, parse the inputs and break them into singleton entries.
SMARTLIST_FOREACH_BEGIN(list_of_proto_strings, const char *, vote) {
smartlist_t *unexpanded = parse_protocol_list(vote);
+ if (! unexpanded) {
+ log_warn(LD_NET, "I failed with parsing a protocol list from "
+ "an authority. The offending string was: %s",
+ escaped(vote));
+ continue;
+ }
smartlist_t *this_vote = expand_protocol_list(unexpanded);
if (this_vote == NULL) {
log_warn(LD_NET, "When expanding a protocol list from an authority, I "
@@ -660,6 +678,11 @@ protover_all_supported(const char *s, char **missing_out)
}
smartlist_t *entries = parse_protocol_list(s);
+ if (BUG(entries == NULL)) {
+ log_warn(LD_NET, "Received an unparseable protocol list %s"
+ " from the consensus", escaped(s));
+ return 1;
+ }
missing = smartlist_new();
diff --git a/src/test/test_protover.c b/src/test/test_protover.c
index d3d1462567..c343e9957d 100644
--- a/src/test/test_protover.c
+++ b/src/test/test_protover.c
@@ -155,6 +155,70 @@ test_protover_vote(void *arg)
tt_str_op(result, OP_EQ, "Bar=3-6,8 Foo=9");
tor_free(result);
+ /* High threshold */
+ result = protover_compute_vote(lst, 3);
+ tt_str_op(result, OP_EQ, "");
+ tor_free(result);
+
+ /* Bad votes: the result must be empty */
+ smartlist_clear(lst);
+ smartlist_add(lst, (void*) "Faux=10-5");
+ result = protover_compute_vote(lst, 1);
+ tt_str_op(result, OP_EQ, "");
+ tor_free(result);
+
+ /* This fails, since "-0" is not valid. */
+ smartlist_clear(lst);
+ smartlist_add(lst, (void*) "Faux=-0");
+ result = protover_compute_vote(lst, 1);
+ tt_str_op(result, OP_EQ, "");
+ tor_free(result);
+
+ /* Vote large protover lists that are just below the threshold */
+
+ /* Just below the threshold: Rust */
+ smartlist_clear(lst);
+ smartlist_add(lst, (void*) "Sleen=1-500");
+ result = protover_compute_vote(lst, 1);
+ tt_str_op(result, OP_EQ, "Sleen=1-500");
+ tor_free(result);
+
+ /* Just below the threshold: C */
+ smartlist_clear(lst);
+ smartlist_add(lst, (void*) "Sleen=1-65536");
+ result = protover_compute_vote(lst, 1);
+ tt_str_op(result, OP_EQ, "Sleen=1-65536");
+ tor_free(result);
+
+ /* Large protover lists that exceed the threshold */
+
+ /* By adding two votes, C allows us to exceed the limit */
+ smartlist_add(lst, (void*) "Sleen=1-65536");
+ smartlist_add(lst, (void*) "Sleen=100000");
+ result = protover_compute_vote(lst, 1);
+ tt_str_op(result, OP_EQ, "Sleen=1-65536,100000");
+ tor_free(result);
+
+ /* Large integers */
+ smartlist_clear(lst);
+ smartlist_add(lst, (void*) "Sleen=4294967294");
+ result = protover_compute_vote(lst, 1);
+ tt_str_op(result, OP_EQ, "Sleen=4294967294");
+ tor_free(result);
+
+ /* This parses, but fails at the vote stage */
+ smartlist_clear(lst);
+ smartlist_add(lst, (void*) "Sleen=4294967295");
+ result = protover_compute_vote(lst, 1);
+ tt_str_op(result, OP_EQ, "");
+ tor_free(result);
+
+ smartlist_clear(lst);
+ smartlist_add(lst, (void*) "Sleen=4294967296");
+ result = protover_compute_vote(lst, 1);
+ tt_str_op(result, OP_EQ, "");
+ tor_free(result);
+
done:
tor_free(result);
smartlist_free(lst);
@@ -194,7 +258,36 @@ test_protover_all_supported(void *arg)
tt_str_op(msg, OP_EQ, "Link=3-999");
tor_free(msg);
+ /* CPU/RAM DoS loop: Rust only */
+ tt_assert(! protover_all_supported("Sleen=0-2147483648", &msg));
+ tt_str_op(msg, OP_EQ, "Sleen=0-2147483648");
+ tor_free(msg);
+
+ /* This case is allowed. */
+ tt_assert(! protover_all_supported("Sleen=0-4294967294", &msg));
+ tt_str_op(msg, OP_EQ, "Sleen=0-4294967294");
+ tor_free(msg);
+
+ /* If we get an unparseable list, we say "yes, that's supported." */
+#ifndef HAVE_RUST
+ // XXXX let's make this section unconditional: rust should behave the
+ // XXXX same as C here!
+ tor_capture_bugs_(1);
+ tt_assert(protover_all_supported("Fribble", &msg));
+ tt_ptr_op(msg, OP_EQ, NULL);
+ tor_end_capture_bugs_();
+
+ /* This case is forbidden. Since it came from a protover_all_supported,
+ * it can trigger a bug message. */
+ tor_capture_bugs_(1);
+ tt_assert(protover_all_supported("Sleen=0-4294967295", &msg));
+ tt_ptr_op(msg, OP_EQ, NULL);
+ tor_free(msg);
+ tor_end_capture_bugs_();
+#endif
+
done:
+ tor_end_capture_bugs_();
tor_free(msg);
}
@@ -401,6 +494,83 @@ test_protover_supported_protocols(void *arg)
;
}
+static void
+test_protover_vote_roundtrip(void *args)
+{
+ (void) args;
+ static const struct {
+ const char *input;
+ const char *expected_output;
+ } examples[] = {
+ { "Fkrkljdsf", NULL },
+ { "Zn=4294967295", NULL },
+ { "Zn=4294967295-1", NULL },
+ { "Zn=4294967293-4294967295", NULL },
+ /* Will fail because of 4294967295. */
+ { "Foo=1,3 Bar=3 Baz= Quux=9-12,14,15-16,900 Zn=0,4294967295",
+ NULL },
+ { "Foo=1,3 Bar=3 Baz= Quux=9-12,14,15-16,900 Zn=0,4294967294",
+ "Bar=3 Foo=1,3 Quux=9-12,14-16,900 Zn=0,4294967294" },
+ { "Zu16=0,65536", "Zu16=0,65536" },
+ { "N-1=1,2", "N-1=1-2" },
+ { "-1=4294967295", NULL },
+ { "-1=3", "-1=3" },
+ /* junk. */
+ { "!!3@*", NULL },
+ /* Missing equals sign */
+ { "Link=4 Haprauxymatyve Desc=9", NULL },
+ { "Link=4 Haprauxymatyve=7 Desc=9",
+ "Desc=9 Haprauxymatyve=7 Link=4" },
+ { "=10-11", NULL },
+ { "X=10-11", "X=10-11" },
+ { "Link=4 =3 Desc=9", NULL },
+ { "Link=4 Z=3 Desc=9", "Desc=9 Link=4 Z=3" },
+ { "Link=fred", NULL },
+ { "Link=1,fred", NULL },
+ { "Link=1,fred,3", NULL },
+ { "Link=1,9-8,3", NULL },
+ { "Faux=-0", NULL },
+ { "Faux=0--0", NULL },
+ // "These fail at the splitting stage in Rust, but the number parsing
+ // stage in C."
+ { "Faux=-1", NULL },
+ { "Faux=-1-3", NULL },
+ { "Faux=1--1", NULL },
+ /* Large integers */
+ { "Link=4294967296", NULL },
+ /* Large range */
+ { "Sleen=1-501", "Sleen=1-501" },
+ { "Sleen=1-65537", NULL },
+ /* CPU/RAM DoS Loop: Rust only. */
+ { "Sleen=0-2147483648", NULL },
+ /* Rust seems to experience an internal error here. */
+ { "Sleen=0-4294967295", NULL },
+ };
+ unsigned u;
+ smartlist_t *votes = smartlist_new();
+ char *result = NULL;
+
+ for (u = 0; u < ARRAY_LENGTH(examples); ++u) {
+ const char *input = examples[u].input;
+ const char *expected_output = examples[u].expected_output;
+
+ smartlist_add(votes, (void*)input);
+ result = protover_compute_vote(votes, 1);
+ if (expected_output != NULL) {
+ tt_str_op(result, OP_EQ, expected_output);
+ } else {
+ tt_str_op(result, OP_EQ, "");
+ }
+
+ smartlist_clear(votes);
+ tor_free(result);
+ }
+
+ done:
+ smartlist_free(votes);
+ tor_free(result);
+}
+
#define PV_TEST(name, flags) \
{ #name, test_protover_ ##name, (flags), NULL, NULL }
@@ -413,6 +583,7 @@ struct testcase_t protover_tests[] = {
PV_TEST(list_supports_protocol_returns_true, 0),
PV_TEST(supports_version, 0),
PV_TEST(supported_protocols, 0),
+ PV_TEST(vote_roundtrip, 0),
END_OF_TESTCASES
};