Reject most directory documents with an internal NUL.

(Specifically, we reject all the ones that aren't NUL-terminated,
since a NUL-terminated thing can't have a NUL in the middle.)

Another fix for #8037.

diff --git a/changes/bug8037 b/changes/bug8037
index 5f3c1a3a8fce5a5a2d5581b402d5dba40d3c2a53..989745fc392f585af34f308027f17d5f913084a2 100644 (file)
--- a/changes/bug8037
+++ b/changes/bug8037
@@ -2,3 +2,7 @@
     - Correctly store microdescriptors and extrainfo descriptors with
       an internal NUL byte. Fixes bug 8037; bugfix on 0.2.0.1-alpha.
       Bug reported by "cypherpunks".
+
+  o Minor features:
+    - Reject as invalid most directory objects containing a
+      NUL. Belt-and-suspender fix for bug 8037.

diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 23dae382fcaacd1ef8f0cd0c8dac6e90d96d365d..2c345ae11350a32d8427f5ab6d38795e0f2ba522 100644 (file)
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -3902,8 +3902,15 @@ tokenize_string(memarea_t *area,
   tor_assert(area);
 
   s = &start;
-  if (!end)
+  if (!end) {
     end = start+strlen(start);
+  } else {
+    /* it's only meaningful to check for nuls if we got an end-of-string ptr */
+    if (memchr(start, '\0', end-start)) {
+      log_warn(LD_DIR, "parse error: internal NUL character.");
+      return -1;
+    }
+  }
   for (i = 0; i < NIL_; ++i)
     counts[i] = 0;