Correctly handle broken escape sequences in torrc values (be0535f0) · Commits · orbea / Tor

changes/bug5090

0 → 100644

+6 −0

Original line number	Diff line number	Diff line
		o Minor bugfixes:
		- Detect and reject certain misformed escape sequences in configuration
		values. Previously, these values would cause us to crash if received
		in a torrc file or over an (authenticated) control port. Patch by
		Esteban Manchado Velázquez. Fix for bug 5090; bugfix on 0.2.0.16-alpha.

+18 −6

Original line number	Diff line number	Diff line
		@@ -2212,14 +2212,16 @@ unescape_string(const char s, char result, size_t size_out)
		case '\"':
		goto end_of_loop;
		case '\\':
		if ((cp[1] == 'x' \|\| cp[1] == 'X')
		&& TOR_ISXDIGIT(cp[2]) && TOR_ISXDIGIT(cp[3])) {
		if (cp[1] == 'x' \|\| cp[1] == 'X') {
		if (!(TOR_ISXDIGIT(cp[2]) && TOR_ISXDIGIT(cp[3])))
		return NULL;
		cp += 4;
		} else if (TOR_ISODIGIT(cp[1])) {
		cp += 2;
		if (TOR_ISODIGIT(*cp)) ++cp;
		if (TOR_ISODIGIT(*cp)) ++cp;
		} else if (cp[1]) {
		} else if (cp[1] == 'n' \|\| cp[1] == 'r' \|\| cp[1] == 't' \|\| cp[1] == '"'
		\|\| cp[1] == '\\' \|\| cp[1] == '\'') {
		cp += 2;
		} else {
		return NULL;
		@@ -2251,9 +2253,19 @@ unescape_string(const char s, char result, size_t size_out)
		case 'r': *out++ = '\r'; cp += 2; break;
		case 't': *out++ = '\t'; cp += 2; break;
		case 'x': case 'X':
		*out++ = ((hex_decode_digit(cp[2])<<4) +
		hex_decode_digit(cp[3]));
		{
		int x1, x2;

		x1 = hex_decode_digit(cp[2]);
		x2 = hex_decode_digit(cp[3]);
		if (x1 == -1 \|\| x2 == -1) {
		tor_free(*result);
		return NULL;
		}

		*out++ = ((x1<<4) + x2);
		cp += 4;
		}
		break;
		case '0': case '1': case '2': case '3': case '4': case '5':
		case '6': case '7':