Do not assert when comparing a null address/port against a policy

This can create a remote crash opportunity for/against directory
authorities.

diff --git a/changes/bug6690 b/changes/bug6690
new file mode 100644 (file)
index 0000000..99d4297
--- /dev/null
+++ b/changes/bug6690
@@ -0,0 +1,7 @@
+  o Major bugfixes (security):
+    - Do not crash when comparing an address with port value 0 to an
+      address policy. This bug could have been used to cause a remote
+      assertion failure by or against directory authorities, or to
+      allow some applications to crash clients. Fixes bug 6690; bugfix
+      on 0.2.1.10-alpha.
+

diff --git a/src/or/policies.c b/src/or/policies.c
index c87036013d2b9ca0063c6bd2889a6263280f20cb..55d08afc8105d6d74a469ee8645e1e48de177618 100644 (file)
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -685,7 +685,11 @@ compare_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port,
     /* no policy? accept all. */
     return ADDR_POLICY_ACCEPTED;
   } else if (tor_addr_is_null(addr)) {
-    tor_assert(port != 0);
+    if (port == 0) {
+      log_info(LD_BUG, "Rejecting null address with 0 port (family %d)",
+               addr ? tor_addr_family(addr) : -1);
+      return ADDR_POLICY_REJECTED;
+    }
     return compare_unknown_tor_addr_to_addr_policy(port, policy);
   } else if (port == 0) {
     return compare_known_tor_addr_to_addr_policy_noport(addr, policy);