From 8de735f0681970ff688cb5e775dae812ed27aa62 Mon Sep 17 00:00:00 2001 From: Suphanat Chunhapanya Date: Tue, 15 Jan 2019 12:12:31 +0700 Subject: [PATCH 1/3] hs-v3: fix use after free in client auth config We accidentally use `auth` after freeing it in client_service_authorization_free. The way to solve it is to free after using it. --- src/feature/hs/hs_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/feature/hs/hs_client.c b/src/feature/hs/hs_client.c index 5fded92fe3..e04f0cc0c3 100644 --- a/src/feature/hs/hs_client.c +++ b/src/feature/hs/hs_client.c @@ -1637,17 +1637,17 @@ hs_config_client_authorization(const or_options_t *options, * as a key of global map in the future. */ if (hs_parse_address(auth->onion_address, &identity_pk, NULL, NULL) < 0) { - client_service_authorization_free(auth); log_warn(LD_REND, "The onion address \"%s\" is invalid in " "file %s", filename, auth->onion_address); + client_service_authorization_free(auth); continue; } if (digest256map_get(auths, identity_pk.pubkey)) { - client_service_authorization_free(auth); log_warn(LD_REND, "Duplicate authorization for the same hidden " "service address %s.", safe_str_client(auth->onion_address)); + client_service_authorization_free(auth); goto end; } From 238a9080c6e80856145210a374b35e613d4cb11e Mon Sep 17 00:00:00 2001 From: Suphanat Chunhapanya Date: Tue, 15 Jan 2019 12:16:23 +0700 Subject: [PATCH 2/3] hs-v3: add an option param to safe log functions We add an option param to safe_str and safe_str_client because in some case we need to use those functions before global_options is set. --- src/app/config/config.c | 16 ++++++++++++---- src/app/config/config.h | 10 ++++++++++ src/feature/hs/hs_client.c | 2 +- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/src/app/config/config.c b/src/app/config/config.c index c71ed01843..7bd850eddb 100644 --- a/src/app/config/config.c +++ b/src/app/config/config.c @@ -1086,10 +1086,14 @@ config_free_all(void) * (We return "[scrubbed]" if SafeLogging is "1", and address otherwise.) */ const char * -safe_str_client(const char *address) +safe_str_client_opts(const or_options_t *options, const char *address) { tor_assert(address); - if (get_options()->SafeLogging_ == SAFELOG_SCRUB_ALL) + if (!options) { + options = get_options(); + } + + if (options->SafeLogging_ == SAFELOG_SCRUB_ALL) return "[scrubbed]"; else return address; @@ -1103,10 +1107,14 @@ safe_str_client(const char *address) * otherwise.) */ const char * -safe_str(const char *address) +safe_str_opts(const or_options_t *options, const char *address) { tor_assert(address); - if (get_options()->SafeLogging_ != SAFELOG_SCRUB_NONE) + if (!options) { + options = get_options(); + } + + if (options->SafeLogging_ != SAFELOG_SCRUB_NONE) return "[scrubbed]"; else return address; diff --git a/src/app/config/config.h b/src/app/config/config.h index a169cfd451..6b23b3934f 100644 --- a/src/app/config/config.h +++ b/src/app/config/config.h @@ -143,6 +143,16 @@ MOCK_DECL(char *, #define get_cachedir_fname_suffix(sub1, suffix) \ options_get_cachedir_fname2_suffix(get_options(), (sub1), NULL, (suffix)) +#define safe_str_client(address) \ + safe_str_client_opts(NULL, address) +#define safe_str(address) \ + safe_str_opts(NULL, address) + +const char * safe_str_client_opts(const or_options_t *options, + const char *address); +const char * safe_str_opts(const or_options_t *options, + const char *address); + int using_default_dir_authorities(const or_options_t *options); int create_keys_directory(const or_options_t *options); diff --git a/src/feature/hs/hs_client.c b/src/feature/hs/hs_client.c index e04f0cc0c3..1f026a20d1 100644 --- a/src/feature/hs/hs_client.c +++ b/src/feature/hs/hs_client.c @@ -1646,7 +1646,7 @@ hs_config_client_authorization(const or_options_t *options, if (digest256map_get(auths, identity_pk.pubkey)) { log_warn(LD_REND, "Duplicate authorization for the same hidden " "service address %s.", - safe_str_client(auth->onion_address)); + safe_str_client_opts(options, auth->onion_address)); client_service_authorization_free(auth); goto end; } From eca0f87801ea5062038544b6cfe2bdbba0998999 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 8 Feb 2019 08:37:23 -0500 Subject: [PATCH 3/3] Add changes file for bug 29040. --- changes/bug29040 | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 changes/bug29040 diff --git a/changes/bug29040 b/changes/bug29040 new file mode 100644 index 0000000000..0662aaa8a5 --- /dev/null +++ b/changes/bug29040 @@ -0,0 +1,4 @@ + o Minor bugfixes (onion services): + - Avoid crashing if ClientOnionAuthDir (incorrectly) contains + more than one private key for a hidden service. Fixes bug 29040; + bugfix on 0.3.5.1-alpha.