tor_addr_parse is overly permissive

tor_addr_parse allows these surprising address formats:

• [192.0.2.1] (IPv4 in square brackets) → 192.0.2.1
• [11.22.33.44 (IPv4 with left square bracket only) → 11.22.33.4
• [11:22::33:44 (IPv6 with left square bracket only) → 11:22::33:4
• 11:22::33:44: (IPv6 with trailing colon) → 11:22::33:44

changed milestone to %Tor: 0.4.0.x-final

added 032-unreached component::core tor/tor ipv6 milestone::Tor: 0.4.0.x-final owner::rl1987 priority::medium resolution::fixed reviewer::nickm severity::normal status::closed type::defect labels

Trac:
0001-Add-tests-for-tor_addr_parse-separate-from-tor_addr_.patch

0001-Add-tests-for-tor_addr_parse-separate-from-tor_addr_.patch​ adds tests for tor_addr_parse, including the cases in the ticket description.

Trac:
Milestone: N/A to Tor: 0.3.2.x-final

Trac:
fuzz_addr_findings.tar.gz

Output of afl-fuzz -i src/test/fuzz/fuzz_addr_testcases -o src/test/fuzz/fuzz_addr_findings -- src/test/fuzz/fuzz-addr

Trac:
fuzz_addr.c

Here is a fuzzer for tor_addr_parse: fuzz_addr.c.

I ran it and didn't find any other unexpected inputs accepted by tor_addr_parse: fuzz_addr_findings.tar.gz

$ for a in fuzz_addr_findings/queue/*; do ./fuzz-addr --info < $a; done | grep -v error

Trac:
Description: tor_addr_parse allows these surprising address formats:

• [192.0.2.1] (IPv4 in square brackets) → 192.0.2.1
• [11.22.33.44 (IPv4 with left square bracket only) → 11.22.33.4
• [11:22::33:44 (IPv6 with left square bracket only) → 11:22::33:44
• 11:22::33:44: (IPv6 with trailing colon) → 11:22::33:44

to

tor_addr_parse allows these surprising address formats:

• [192.0.2.1] (IPv4 in square brackets) → 192.0.2.1
• [11.22.33.44 (IPv4 with left square bracket only) → 11.22.33.4
• [11:22::33:44 (IPv6 with left square bracket only) → 11:22::33:4
• 11:22::33:44: (IPv6 with trailing colon) → 11:22::33:44

Mark a large number of tickets that I do not think we will do for 0.3.2.

Trac:
Milestone: Tor: 0.3.2.x-final to Tor: unspecified
Keywords: N/A deleted, 032-unreached added

You can surface this bug from the command line:

$ tor-resolve -x '[138.201.14.1979'
saxatile.torproject.org

This command should result in an error, but doesn't. Notice there are four digits in the last octet of the bogus address [138.201.14.1979. saxatile's IP address is 138.201.14.197. tor_addr_parse is throwing away the final character, and therefore failing to notice that the address is bad, because the string starts with [.

This bug was introduced long before 0.3.1.5.

Trac:
Keywords: N/A deleted, ipv6 added
Version: Tor: 0.3.1.5-alpha to Tor: unspecified

Trac:
Cc: N/A to rl1987

Trac:
Status: new to assigned
Owner: N/A to neel

Trac:
Cc: rl1987 to rl1987, neel@neelc.org

Trac:
Owner: neel to N/A
Cc: rl1987, neel@neelc.org to rl1987

Trac:
Status: assigned to new

Trac:
Owner: N/A to rl1987
Status: new to accepted

https://github.com/torproject/tor/pull/302

Trac:
Status: accepted to needs_review

Replying to rl1987:

https://github.com/torproject/tor/pull/302

Great, rl1987! If you don't mind review from the peanut gallery:

-  if (src[0] == '[' && src[1])
+  if (src[0] == '[' && src[1] && src[strlen(src)-1] == ']') {

I think the condition src[1] is now redundant. It was meant to ensure that the string contains at least 2 characters, but the newly added condition also does that.

I note that the condition brackets_detected != 0 is equivalent to tmp != NULL. But actually, I don't think I would try to remove the brackets_detected variable, because it expresses clearly what it means.

I think the tor_inet_pton(AF_INET6, ...) line could use a comment saying that IPv6 addresses are allowed to be with or without brackets.

+  /* Reject if src has needless trailing ':'. */
+  if (len > 2 && src[len - 1] == ':' && src[len - 2] != ':') {
+    result = -1;
+  } else if (tor_inet_pton(AF_INET6, src, &in6_tmp) > 0) {

I wonder, does this check for a trailing colon belong in tor_inet_pton instead? Or is there a reason for tor_inet_pton to accept such inputs? Maybe for compatibility with inet_pton? It's surprising to me that this check is necessary; I would have assumed (wrongly) that the underlying address parser would reject it.

Replying to dcf:

Replying to rl1987:

https://github.com/torproject/tor/pull/302

Great, rl1987! If you don't mind review from the peanut gallery: {{{#!diff

• if (src[0] == '[' && src[1])

• if (src[0] == '[' && src[1] && src[strlen(src)-1] == ']') { }}} I think the condition src[1] is now redundant. It was meant to ensure that the string contains at least 2 characters, but the newly added condition also does that.

I made some cleanups in ad165f7aef4e2feefd6d4cde5d57dfd4fa6d55f5.

I note that the condition brackets_detected != 0 is equivalent to tmp != NULL. But actually, I don't think I would try to remove the brackets_detected variable, because it expresses clearly what it means.

That's correct. However, I'm keeping tmp variable here, as we may need to free the temporary bracketless string that tor_strndup allocated if brackets were detected. Let's have both variables.

I think the tor_inet_pton(AF_INET6, ...) line could use a comment saying that IPv6 addresses are allowed to be with or without brackets.

Well, function documentation for tor_addr_parse() mentions that already. I don't think that additional comment is needed.

{{{#!diff

• /* Reject if src has needless trailing ':'. */
• if (len > 2 && src[len - 1] == ':' && src[len - 2] != ':') {
• result = -1;
• } else if (tor_inet_pton(AF_INET6, src, &in6_tmp) > 0) { }}} I wonder, does this check for a trailing colon belong in tor_inet_pton instead? Or is there a reason for tor_inet_pton to accept such inputs? Maybe for compatibility with inet_pton? It's surprising to me that this check is necessary; I would have assumed (wrongly) that the underlying address parser would reject it.

That's a good idea, as other code that depends on tor_inet_pton will be able to benefit from that check (such as string_is_valid_ipv6_address() function). So I moved the check in 5438ff3e13a803bf24ba98e11a0b1a6b3d839cc9. I'm not sure if that breaks any standard compatibility though.

Assigning this to 0.3.6, because last time we changed our address code, we broke IPv6 exiting and didn't notice.

Trac:
Version: Tor: unspecified to N/A
Milestone: Tor: unspecified to Tor: 0.3.6.x-final

Trac:
Reviewer: N/A to catalyst

Trac:
Reviewer: catalyst to nickm

LGTM; merged!

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

Tor 0.3.6.x has been renamed to 0.4.0.x.

Trac:
Milestone: Tor: 0.3.6.x-final to Tor: 0.4.0.x-final

closed

mentioned in issue #30721 (moved)

mentioned in issue #32314 (moved)

moved to tpo/core/tor#23082 (closed)

mentioned in issue tpo/core/tor#30721 (closed)