mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
hs-v2: Remove any expiring intro from the retry list
TROVE-2017-13. Severity: High. In the unlikely case that a hidden service could be missing intro circuit(s), that it didn't have enough directory information to open new circuits and that an intro point was about to expire, a use-after-free is possible because of the intro point object being both in the retry list and expiring list at the same time. The intro object would get freed after the circuit failed to open and then access a second time when cleaned up from the expiring list. Fixes #24313
This commit is contained in:
parent
25c90230be
commit
3030741b5d
5
changes/bug24313
Normal file
5
changes/bug24313
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
o Major bugfixes (security, hidden service v2):
|
||||||
|
- Fix a use-after-free error that could crash v2 Tor hidden services
|
||||||
|
when it failed to open circuits while expiring introductions
|
||||||
|
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This
|
||||||
|
issue is also tracked as TROVE-2017-013 and CVE-2017-8823.
|
@ -3444,6 +3444,10 @@ remove_invalid_intro_points(rend_service_t *service,
|
|||||||
log_info(LD_REND, "Expiring %s as intro point for %s.",
|
log_info(LD_REND, "Expiring %s as intro point for %s.",
|
||||||
safe_str_client(extend_info_describe(intro->extend_info)),
|
safe_str_client(extend_info_describe(intro->extend_info)),
|
||||||
safe_str_client(service->service_id));
|
safe_str_client(service->service_id));
|
||||||
|
/* We might have put it in the retry list if so, undo. */
|
||||||
|
if (retry_nodes) {
|
||||||
|
smartlist_remove(retry_nodes, intro);
|
||||||
|
}
|
||||||
smartlist_add(service->expiring_nodes, intro);
|
smartlist_add(service->expiring_nodes, intro);
|
||||||
SMARTLIST_DEL_CURRENT(service->intro_nodes, intro);
|
SMARTLIST_DEL_CURRENT(service->intro_nodes, intro);
|
||||||
/* Intro point is expired, we need a new one thus don't consider it
|
/* Intro point is expired, we need a new one thus don't consider it
|
||||||
|
Loading…
Reference in New Issue
Block a user