From 7a8960cf1b34d27db0ffe0929c1810800f319c86 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 28 Oct 2011 16:37:42 -0400 Subject: [PATCH 1/3] Fix a memory-poisoning memset in tortls.c --- src/common/tortls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 7aaa4e0894..8cf396cdac 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -694,7 +694,7 @@ tor_cert_free(tor_cert_t *cert) if (cert->cert) X509_free(cert->cert); tor_free(cert->encoded); - memset(cert, 0x03, sizeof(cert)); + memset(cert, 0x03, sizeof(*cert)); tor_free(cert); } From c2a098e9800edb27d6a3630337e0efa72dfa7ba2 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 28 Oct 2011 16:38:56 -0400 Subject: [PATCH 2/3] Fix a double-free that would occur on an invalid cert in a CERTS cell We would stash the certs in the handshake state before checking them for validity... and then if they turned out to be invalid, we'd give an error and free them. Then, later, we'd free them again when we tore down the connection. Fixes bug 4343; fix on 0.2.3.6-alpha. --- changes/bug4343 | 5 +++++ src/or/command.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 changes/bug4343 diff --git a/changes/bug4343 b/changes/bug4343 new file mode 100644 index 0000000000..cee272b976 --- /dev/null +++ b/changes/bug4343 @@ -0,0 +1,5 @@ + o Major bugfixes: + - Fix a double-free bug that would occur when we received an invalid + certificate in a CERT cell in the new v3 handshake. Fixes bug 4343; + bugfix on 0.2.3.6-alpha. + diff --git a/src/or/command.c b/src/or/command.c index d35e2a9c80..aa5a62d54c 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -1020,8 +1020,6 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn) ERR("The certs we wanted were missing"); /* Remember these certificates so we can check an AUTHENTICATE cell */ - conn->handshake_state->id_cert = id_cert; - conn->handshake_state->auth_cert = auth_cert; if (! tor_tls_cert_is_valid(auth_cert, id_cert, 1)) ERR("The authentication certificate was not valid"); if (! tor_tls_cert_is_valid(id_cert, id_cert, 1)) @@ -1032,6 +1030,8 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn) safe_str(conn->_base.address), conn->_base.port); /* XXXX check more stuff? */ + conn->handshake_state->id_cert = id_cert; + conn->handshake_state->auth_cert = auth_cert; id_cert = auth_cert = NULL; } From 2018f86e0c7f088de54ff8f7f4d1e04075785206 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 28 Oct 2011 16:41:04 -0400 Subject: [PATCH 3/3] "Authetnicate" is not the usual spelling --- src/or/command.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/or/command.c b/src/or/command.c index aa5a62d54c..b090e1643e 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -1135,7 +1135,7 @@ command_process_authenticate_cell(var_cell_t *cell, or_connection_t *conn) #define ERR(s) \ do { \ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, \ - "Received a bad AUTHETNICATE cell from %s:%d: %s", \ + "Received a bad AUTHENTICATE cell from %s:%d: %s", \ safe_str(conn->_base.address), conn->_base.port, (s)); \ connection_mark_for_close(TO_CONN(conn)); \ return; \