Minor tor_inet_pton bug fixes

In particular:
* Disallow "0x10::"
* Don't blow up on ":"
* Disallow "::10000"

diff --git a/src/common/compat.c b/src/common/compat.c
index ba49af757cbd2fde5d8a2f21e8ed0fa0d30654b2..20c45af00b91cb002825df0b7c315bca7524ad9a 100644 (file)
--- a/src/common/compat.c
+++ b/src/common/compat.c
@@ -1733,24 +1733,30 @@ tor_inet_pton(int af, const char *src, void *dst)
         return 0;
       if (TOR_ISXDIGIT(*src)) {
         char *next;
+        int len;
         long r = strtol(src, &next, 16);
-        if (next > 4+src)
-          return 0;
-        if (next == src)
-          return 0;
-        if (r<0 || r>65536)
+        tor_assert(next != NULL);
+        tor_assert(next != src);
+
+        len = *next == '\0' ? eow - src : next - src;
+        if (len > 4)
           return 0;
+        if (len > 1 && !TOR_ISXDIGIT(src[1]))
+          return 0; /* 0x is not valid */
 
+        tor_assert(r >= 0);
+        tor_assert(r < 65536);
         words[i++] = (uint16_t)r;
         setWords++;
         src = next;
         if (*src != ':' && src != eow)
           return 0;
         ++src;
-      } else if (*src == ':' && i > 0 && gapPos==-1) {
+      } else if (*src == ':' && i > 0 && gapPos == -1) {
         gapPos = i;
         ++src;
-      } else if (*src == ':' && i == 0 && src[1] == ':' && gapPos==-1) {
+      } else if (*src == ':' && i == 0 && src+1 < eow && src[1] == ':' &&
+                 gapPos == -1) {
         gapPos = i;
         src += 2;
       } else {