Add another NULL-pointer fix for protover.c.

This one can only be exploited if you can generate a correctly
signed consensus, so it's not as bad as 25074.

Fixes bug 25251; also tracked as TROVE-2018-004.

diff --git a/changes/trove-2018-004 b/changes/trove-2018-004
new file mode 100644 (file)
index 0000000..37e0a89
--- /dev/null
+++ b/changes/trove-2018-004
@@ -0,0 +1,8 @@
+  o Minor bugfixes (denial-of-service):
+    - Fix a possible crash on malformed consensus. If a consensus had
+      contained an unparseable protocol line, it could have made clients
+      and relays crash with a null-pointer exception. To exploit this
+      issue, however, an attacker would need to be able to subvert the
+      directory-authority system. Fixes bug 25251; bugfix on
+      0.2.9.4-alpha. Also tracked as TROVE-2018-004.
+

diff --git a/src/or/protover.c b/src/or/protover.c
index a750774623a5f2a50f0bd9b566416692b2b8d209..e63036f784b3e3f40b3058662cfc7d0efabebc35 100644 (file)
--- a/src/or/protover.c
+++ b/src/or/protover.c
@@ -624,6 +624,11 @@ protover_all_supported(const char *s, char **missing_out)
   }
 
   smartlist_t *entries = parse_protocol_list(s);
+  if (BUG(entries == NULL)) {
+    log_warn(LD_NET, "Received an unparseable protocol list %s"
+             " from the consensus", escaped(s));
+    return 1;
+  }
 
   missing = smartlist_new();