From a3d8ffe010d860b65b697767b867c3c37f186e36 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Thu, 24 Jul 2014 17:07:39 -0400 Subject: [PATCH 1/3] fix typo that crept in to 0.2.4.4-alpha --- src/or/channel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/or/channel.c b/src/or/channel.c index 964b3fcac3..3072effc8f 100644 --- a/src/or/channel.c +++ b/src/or/channel.c @@ -3352,7 +3352,7 @@ channel_dump_statistics(channel_t *chan, int severity) U64_PRINTF_ARG(chan->timestamp_recv), U64_PRINTF_ARG(now - chan->timestamp_recv)); tor_log(severity, LD_GENERAL, - " * Channel " U64_FORMAT " last trasmitted a cell " + " * Channel " U64_FORMAT " last transmitted a cell " "at " U64_FORMAT " (" U64_FORMAT " seconds ago)", U64_PRINTF_ARG(chan->global_identifier), U64_PRINTF_ARG(chan->timestamp_xmit), From 1b551823de6e6c03cf86bcbb7ca1b687c5f16ea6 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 10 Jun 2014 11:11:47 -0400 Subject: [PATCH 2/3] Avoid illegal read off end of an array in prune_v2_cipher_list This function is supposed to construct a list of all the ciphers in the "v2 link protocol cipher list" that are supported by Tor's openssl. It does this by invoking ssl23_get_cipher_by_char on each two-byte ciphersuite ID to see which ones give a match. But when ssl23_get_cipher_by_char cannot find a match for a two-byte SSL3/TLS ciphersuite ID, it checks to see whether it has a match for a three-byte SSL2 ciphersuite ID. This was causing a read off the end of the 'cipherid' array. This was probably harmless in practice, but we shouldn't be having any uninitialized reads. (Using ssl23_get_cipher_by_char in this way is a kludge, but then again the entire existence of the v2 link protocol is kind of a kludge. Once Tor 0.2.2 clients are all gone, we can drop this code entirely.) Found by starlight. Fix on 0.2.4.8-alpha. Fixes bug 12227. --- changes/bug12227 | 5 +++++ src/common/tortls.c | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 changes/bug12227 diff --git a/changes/bug12227 b/changes/bug12227 new file mode 100644 index 0000000000..d8b5d08a55 --- /dev/null +++ b/changes/bug12227 @@ -0,0 +1,5 @@ + o Minor bugfixes: + - Avoid an illegal read from stack when initializing the TLS + module using a version of OpenSSL without all of the ciphers + used by the v2 link handshake. Fixes bug 12227; bugfix on + 0.2.4.8-alpha. Found by "starlight". diff --git a/src/common/tortls.c b/src/common/tortls.c index 8f3f6a7130..c13b12fd40 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1489,10 +1489,13 @@ prune_v2_cipher_list(void) inp = outp = v2_cipher_list; while (*inp) { - unsigned char cipherid[2]; + unsigned char cipherid[3]; const SSL_CIPHER *cipher; /* Is there no better way to do this? */ set_uint16(cipherid, htons(*inp)); + cipherid[2] = 0; /* If ssl23_get_cipher_by_char finds no cipher starting + * with a two-byte 'cipherid', it may look for a v2 + * cipher with the appropriate 3 bytes. */ cipher = m->get_cipher_by_char(cipherid); if (cipher) { tor_assert((cipher->id & 0xffff) == *inp); From 472696e8e517609d34db4818af7bb4ff6f68a158 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Thu, 24 Jul 2014 19:49:01 -0400 Subject: [PATCH 3/3] get rid of already-merged bug12227 changes file --- changes/bug12227 | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 changes/bug12227 diff --git a/changes/bug12227 b/changes/bug12227 deleted file mode 100644 index d8b5d08a55..0000000000 --- a/changes/bug12227 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Avoid an illegal read from stack when initializing the TLS - module using a version of OpenSSL without all of the ciphers - used by the v2 link handshake. Fixes bug 12227; bugfix on - 0.2.4.8-alpha. Found by "starlight".