Better bounds checking on parsed ints

svn:r2450

2 files changed, 12 insertions, 0 deletions

diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 06014df53..f14b31557 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -161,6 +161,10 @@ static rend_service_port_config_t *parse_port_config(const char *string)
       log_fn(LOG_WARN, "Unparseable of missing port in hidden service port configuration.");
       return NULL;
     }
+    if (realport < 1 || realport > 65535) {
+      log_fn(LOG_WARN, "Port out of range");
+      return NULL;
+    }
     addr = 0x7F000001u; /* Default to 127.0.0.1 */
   }
 
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 4ae222245..b97390931 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -1053,6 +1053,10 @@ router_parse_exit_policy(directory_token_t *tok) {
     bits = (int) strtol(mask, &endptr, 10);
     if (!*endptr) {
       /* strtol handled the whole mask. */
+      if (bits < 0 || bits > 32) {
+        log_fn(LOG_WARN, "Bad number of mask bits on exit policy; rejecting.");
+        goto policy_read_failed;
+      }
       newe->msk = ~((1<<(32-bits))-1);
     } else if (tor_inet_aton(mask, &in) != 0) {
       newe->msk = ntohl(in.s_addr);
@@ -1083,6 +1087,10 @@ router_parse_exit_policy(directory_token_t *tok) {
     } else {
       newe->prt_max = newe->prt_min;
     }
+    if (newe->prt_min > newe->prt_max) {
+      log_fn(LOG_WARN,"Insane port range on exit policy; rejecting.");
+      goto policy_read_failed;
+    }
   }
 
   in.s_addr = htonl(newe->addr);