Opened 4 years ago

Closed 4 years ago

#14142 closed defect (fixed)

A 2-letter torrc file containing "Vi" causes tor to crash

Reported by: teor Owned by: teor
Priority: Low Milestone: Tor: 0.2.5.x-final
Component: Core Tor/Tor Version: Tor: 0.2.6.2-alpha
Severity: Keywords: tor-client
Cc: nickm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The parsing of the VirtualAddrNetworkIPv[46] options crashes when the line or file ends after the option itself. (The IPv4? option can be abbreviated to "Vi").

This is an easy fix that involves checking for the empty string early on, before we assert on it in the parsing code.

Discovered using afl-fuzz with a custom tor binary that parses a torrc file from standard input (and doesn't do much else). This kind of fuzzing would be easier to conduct using a test harness, rather than using the entire tor binary.

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by teor

Owner: set to teor
Status: newassigned

comment:2 Changed 4 years ago by teor

Keywords: tor-client added; easy removed
Milestone: Tor: 0.2.7.x-finalTor: 0.2.6.x-final
Priority: normalminor
Status: assignedneeds_review

Fix is now in bug14142-parse-virtual-addr in my teor2345 github repository.

I think it's a bugfix on 0.2.3 from looking at the logs around the commit that last touched that code. Nick, how do I reliably find out which release bugfixes belong to?

comment:3 in reply to:  2 Changed 4 years ago by nickm

Replying to teor:

Fix is now in bug14142-parse-virtual-addr in my teor2345 github repository.

THanks, I'll check it out!

I think it's a bugfix on 0.2.3 from looking at the logs around the commit that last touched that code. Nick, how do I reliably find out which release bugfixes belong to?

I use an iterative process: I use git blame to see when the line(s) that caused the bug last changed. Then I use git show $commit or git show $commit:filename.c to see what that commit looked like. If the bug existed before the commit, I use git blame $commit^ -- filename.c, and repeat the process. Once I identify the commit that created the bug, I say git describe --contains $commit.

comment:4 Changed 4 years ago by nickm

Milestone: Tor: 0.2.6.x-finalTor: 0.2.4.x-final

Seems straightforward; cherry-picked to 0.2.5 and later; marking for possible backport to 0.2.4 if we ever do another of those

comment:5 Changed 4 years ago by nickm

Milestone: Tor: 0.2.4.x-finalTor: 0.2.5.x-final
Resolution: fixed
Status: needs_reviewclosed

These aren't getting backported. Recommended solution: upgrade to 0.2.5.x stable releases.

Note: See TracTickets for help on using tickets.