Opened 4 months ago

Last modified 19 hours ago

#23082 new defect

tor_addr_parse is overly permissive

Reported by: dcf Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.3.1.5-alpha
Severity: Normal Keywords: 032-unreached
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by dcf)

tor_addr_parse allows these surprising address formats:

  • [192.0.2.1] (IPv4 in square brackets) → 192.0.2.1
  • [11.22.33.44 (IPv4 with left square bracket only) → 11.22.33.4
  • [11:22::33:44 (IPv6 with left square bracket only) → 11:22::33:4
  • 11:22::33:44: (IPv6 with trailing colon) → 11:22::33:44

Child Tickets

Attachments (3)

0001-Add-tests-for-tor_addr_parse-separate-from-tor_addr_.patch (2.6 KB) - added by dcf 4 months ago.
fuzz_addr_findings.tar.gz (16.7 KB) - added by dcf 4 months ago.
Output of afl-fuzz -i src/test/fuzz/fuzz_addr_testcases -o src/test/fuzz/fuzz_addr_findings -- src/test/fuzz/fuzz-addr
fuzz_addr.c (711 bytes) - added by dcf 4 months ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 4 months ago by dcf

attachment:0001-Add-tests-for-tor_addr_parse-separate-from-tor_addr_.patch​ adds tests for tor_addr_parse, including the cases in the ticket description.

comment:2 Changed 4 months ago by asn

Milestone: Tor: 0.3.2.x-final

Changed 4 months ago by dcf

Attachment: fuzz_addr_findings.tar.gz added

Output of afl-fuzz -i src/test/fuzz/fuzz_addr_testcases -o src/test/fuzz/fuzz_addr_findings -- src/test/fuzz/fuzz-addr

Changed 4 months ago by dcf

Attachment: fuzz_addr.c added

comment:3 Changed 4 months ago by dcf

Here is a fuzzer for tor_addr_parse: attachment:fuzz_addr.c.

I ran it and didn't find any other unexpected inputs accepted by tor_addr_parse: attachment:fuzz_addr_findings.tar.gz

$ for a in fuzz_addr_findings/queue/*; do ./fuzz-addr --info < $a; done | grep -v error

comment:4 Changed 2 months ago by dcf

Description: modified (diff)

comment:5 Changed 2 months ago by nickm

Keywords: 032-unreached added
Milestone: Tor: 0.3.2.x-finalTor: unspecified

Mark a large number of tickets that I do not think we will do for 0.3.2.

comment:6 Changed 19 hours ago by dcf

You can surface this bug from the command line:

$ tor-resolve -x '[138.201.14.1979'
saxatile.torproject.org

This command should result in an error, but doesn't. Notice there are four digits in the last octet of the bogus address [138.201.14.1979. saxatile's IP address is 138.201.14.197. tor_addr_parse is throwing away the final character, and therefore failing to notice that the address is bad, because the string starts with [.

Note: See TracTickets for help on using tickets.