From 9b344628ed8f15543dc7780cc2a5cdd1b8f656cf Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 7 May 2012 12:25:59 -0400
Subject: [PATCH 1/3] Handle out-of-range values in tor_parse_* integer
 functions

The underlying strtoX functions handle overflow by saturating and
setting errno to ERANGE.  If the min/max arguments to the
tor_parse_* functions are equal to the minimum/maximum of the
underlying type, then with the old approach, we wouldn't treat a
too-large value as genuinely broken.

Found this while looking at bug 5786; bugfix on 19da1f36 (in Tor
0.0.9), which introduced these functions.
---
 changes/bug5786_range |  8 ++++++++
 src/common/util.c     |  7 +++++++
 src/test/test_util.c  | 15 +++++++++++++++
 3 files changed, 30 insertions(+)
 create mode 100644 changes/bug5786_range

diff --git a/changes/bug5786_range b/changes/bug5786_range
new file mode 100644
index 000000000..40ac4d246
--- /dev/null
+++ b/changes/bug5786_range
@@ -0,0 +1,8 @@
+  o Minor bugfixes:
+    - Make our number-parsing functions always treat too-large values
+      as an error, even when those values exceed the width of the
+      underlying type. Previously, if the caller provided these
+      functions with minima or maxima set to the extreme values of the
+      underlying integer type, these functions would return those
+      values on overflow rather than treating overflow as an error.
+      Fix for part of bug 5786; bugfix on Tor 0.0.9.
\ No newline at end of file
diff --git a/src/common/util.c b/src/common/util.c
index e3cd154b9..7d2fc4dea 100644
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -764,6 +764,9 @@ tor_digest256_is_zero(const char *digest)
 /* Helper: common code to check whether the result of a strtol or strtoul or
  * strtoll is correct. */
 #define CHECK_STRTOX_RESULT()                           \
+  /* Did an overflow occur? */                          \
+  if (errno == ERANGE)                                  \
+    goto err;                                           \
   /* Was at least one character converted? */           \
   if (endptr == s)                                      \
     goto err;                                           \
@@ -800,6 +803,7 @@ tor_parse_long(const char *s, int base, long min, long max,
   char *endptr;
   long r;
 
+  errno = 0;
   r = strtol(s, &endptr, base);
   CHECK_STRTOX_RESULT();
 }
@@ -812,6 +816,7 @@ tor_parse_ulong(const char *s, int base, unsigned long min,
   char *endptr;
   unsigned long r;
 
+  errno = 0;
   r = strtoul(s, &endptr, base);
   CHECK_STRTOX_RESULT();
 }
@@ -823,6 +828,7 @@ tor_parse_double(const char *s, double min, double max, int *ok, char **next)
   char *endptr;
   double r;
 
+  errno = 0;
   r = strtod(s, &endptr);
   CHECK_STRTOX_RESULT();
 }
@@ -836,6 +842,7 @@ tor_parse_uint64(const char *s, int base, uint64_t min,
   char *endptr;
   uint64_t r;
 
+  errno = 0;
 #ifdef HAVE_STRTOULL
   r = (uint64_t)strtoull(s, &endptr, base);
 #elif defined(MS_WINDOWS)
diff --git a/src/test/test_util.c b/src/test/test_util.c
index 23cd059cf..ee745c5cf 100644
--- a/src/test/test_util.c
+++ b/src/test/test_util.c
@@ -283,6 +283,21 @@ test_util_strmisc(void)
   test_assert(i == 1);
   }
 
+  {
+    /* Test tor_parse_* where we overflow/underflow the underlying type. */
+    /* This string should overflow 64-bit ints. */
+#define TOOBIG "100000000000000000000000000"
+    test_eq(0L, tor_parse_long(TOOBIG, 10, LONG_MIN, LONG_MAX, &i, NULL));
+    test_eq(i, 0);
+    test_eq(0L, tor_parse_long("-"TOOBIG, 10, LONG_MIN, LONG_MAX, &i, NULL));
+    test_eq(i, 0);
+    test_eq(0UL, tor_parse_ulong(TOOBIG, 10, 0, ULONG_MAX, &i, NULL));
+    test_eq(i, 0);
+    test_eq(U64_LITERAL(0), tor_parse_uint64(TOOBIG, 10,
+                                             0, UINT64_MAX, &i, NULL));
+    test_eq(i, 0);
+  }
+
   /* Test failing snprintf cases */
   test_eq(-1, tor_snprintf(buf, 0, "Foo"));
   test_eq(-1, tor_snprintf(buf, 2, "Foo"));

From f6617473700eb4b4ab30255e7176d774c38931cd Mon Sep 17 00:00:00 2001
From: Ravi Chandra Padmala <neenaoffline@gmail.com>
Date: Fri, 4 May 2012 02:34:26 +0530
Subject: [PATCH 2/3] Add missing CRLFs to AUTHCHALLENGE failure replies Fix
 #5760

---
 src/or/control.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/or/control.c b/src/or/control.c
index ddfc80e8f..5ffe63b72 100644
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -2839,13 +2839,13 @@ handle_control_authchallenge(control_connection_t *conn, uint32_t len,
     cp += strlen("SAFECOOKIE");
   } else {
     connection_write_str_to_buf("513 AUTHCHALLENGE only supports SAFECOOKIE "
-                                "authentication", conn);
+                                "authentication\r\n", conn);
     connection_mark_for_close(TO_CONN(conn));
     return -1;
   }
 
   if (!authentication_cookie_is_set) {
-    connection_write_str_to_buf("515 Cookie authentication is disabled", conn);
+    connection_write_str_to_buf("515 Cookie authentication is disabled\r\n", conn);
     connection_mark_for_close(TO_CONN(conn));
     return -1;
   }
@@ -2856,7 +2856,7 @@ handle_control_authchallenge(control_connection_t *conn, uint32_t len,
       decode_escaped_string(cp, len - (cp - body),
                             &client_nonce, &client_nonce_len);
     if (newcp == NULL) {
-      connection_write_str_to_buf("513 Invalid quoted client nonce",
+      connection_write_str_to_buf("513 Invalid quoted client nonce\r\n",
                                   conn);
       connection_mark_for_close(TO_CONN(conn));
       return -1;
@@ -2870,7 +2870,7 @@ handle_control_authchallenge(control_connection_t *conn, uint32_t len,
 
     if (base16_decode(client_nonce, client_nonce_len,
                       cp, client_nonce_encoded_len) < 0) {
-      connection_write_str_to_buf("513 Invalid base16 client nonce",
+      connection_write_str_to_buf("513 Invalid base16 client nonce\r\n",
                                   conn);
       connection_mark_for_close(TO_CONN(conn));
       return -1;
@@ -2882,7 +2882,7 @@ handle_control_authchallenge(control_connection_t *conn, uint32_t len,
   cp += strspn(cp, " \t\n\r");
   if (*cp != '\0' ||
       cp != body + len) {
-    connection_write_str_to_buf("513 Junk at end of AUTHCHALLENGE command",
+    connection_write_str_to_buf("513 Junk at end of AUTHCHALLENGE command\r\n",
                                 conn);
     connection_mark_for_close(TO_CONN(conn));
     tor_free(client_nonce);

From 5bbf04dc9727de393ab1c42440124d875c79c13e Mon Sep 17 00:00:00 2001
From: Ravi Chandra Padmala <neenaoffline@gmail.com>
Date: Thu, 10 May 2012 12:53:16 +0530
Subject: [PATCH 3/3] Add changes/bug5760

---
 changes/bug5760 | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changes/bug5760

diff --git a/changes/bug5760 b/changes/bug5760
new file mode 100644
index 000000000..a26407b58
--- /dev/null
+++ b/changes/bug5760
@@ -0,0 +1,3 @@
+  o Major bugfixes:
+    - End AUTHCHALLENGE error response messages with a CRLF. Fixes bug 5760;
+      bugfix on 0.2.3.16-alpha, and backported to maint-0.2.2