From 9c4a0aef0c0d8e1c3ad8d9ed7b655eae8a175ccb Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 21 Oct 2015 11:16:28 -0400 Subject: [PATCH 1/4] Fix a memory leak in reading an expired ed signing key. Closes 17403. --- changes/bug17403 | 3 +++ src/or/routerkeys.c | 2 ++ 2 files changed, 5 insertions(+) create mode 100644 changes/bug17403 diff --git a/changes/bug17403 b/changes/bug17403 new file mode 100644 index 0000000000..e83a4a247b --- /dev/null +++ b/changes/bug17403 @@ -0,0 +1,3 @@ + o Minor bugfixes (memory leaks): + - Fix a memory leak when reading an expired signing key from disk. + Fixes bug 17403; bugfix on 0.2.7.2-rc. diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index 765dac883a..d88bfca13a 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -836,6 +836,8 @@ load_ed_keys(const or_options_t *options, time_t now) INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT); char *fname = options_get_datadir_fname2(options, "keys", "ed25519_signing"); + ed25519_keypair_free(sign); + tor_cert_free(sign_cert); sign = ed_key_init_from_file(fname, flags, LOG_WARN, sign_signing_key_with_id, now, From 35bf07b8d67d018f7740ca195cf8c7c86b1b4ef9 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 21 Oct 2015 11:44:43 -0400 Subject: [PATCH 2/4] Check for len < 4 in dn_indicates_v3_cert Without this check, we potentially look up to 3 characters before the start of a malloc'd segment, which could provoke a crash under certain (weird afaik) circumstances. Fixes 17404; bugfix on 0.2.6.3-alpha. --- changes/bug17404 | 6 ++++++ src/common/tortls.c | 4 ++++ 2 files changed, 10 insertions(+) create mode 100644 changes/bug17404 diff --git a/changes/bug17404 b/changes/bug17404 new file mode 100644 index 0000000000..d524f6662d --- /dev/null +++ b/changes/bug17404 @@ -0,0 +1,6 @@ + o Major bugfixes (security, correctness): + - Fix a programming error that could cause us to read 4 bytes before + the beginning of an openssl string. This could be used to provoke + a crash on systems with an unusual malloc implementation, or + systems with unsual hardening installed. Fixes bug 17404; bugfix + on 0.2.3.6-alpha. diff --git a/src/common/tortls.c b/src/common/tortls.c index 4222f6dbff..75ca47dbdb 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -2676,6 +2676,10 @@ dn_indicates_v3_cert(X509_NAME *name) len = ASN1_STRING_to_UTF8(&s, str); if (len < 0) return 0; + if (len < 4) { + OPENSSL_free(s); + return 0; + } r = fast_memneq(s + len - 4, ".net", 4); OPENSSL_free(s); return r; From 9459ae260e3ae428283c3b45d08aaef6ef9f6fa3 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 21 Oct 2015 12:01:05 -0400 Subject: [PATCH 3/4] Fix the return value --- src/common/tortls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 75ca47dbdb..840b677cb7 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -2678,7 +2678,7 @@ dn_indicates_v3_cert(X509_NAME *name) return 0; if (len < 4) { OPENSSL_free(s); - return 0; + return 1; } r = fast_memneq(s + len - 4, ".net", 4); OPENSSL_free(s); From 7b859fd8c558c9cf08add79db87fb1cb76537535 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 21 Oct 2015 12:22:05 -0400 Subject: [PATCH 4/4] Note that you can use a unix domain socket for hsport --- changes/bug17364 | 3 +++ doc/tor.1.txt | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 changes/bug17364 diff --git a/changes/bug17364 b/changes/bug17364 new file mode 100644 index 0000000000..dd9ff12784 --- /dev/null +++ b/changes/bug17364 @@ -0,0 +1,3 @@ + o Documentation: + - Note that HiddenServicePorts can take a unix domain socket. + Closes ticket 17364. diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 954c8fa243..5ea5623952 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -2176,8 +2176,8 @@ The following options are used to configure a hidden service. option multiple times; each time applies to the service using the most recent HiddenServiceDir. By default, this option maps the virtual port to the same port on 127.0.0.1 over TCP. You may override the target port, - address, or both by specifying a target of addr, port, or addr:port. - (You can specify an IPv6 target as [addr]:port.) + address, or both by specifying a target of addr, port, addr:port, or + **unix:**__path__. (You can specify an IPv6 target as [addr]:port.) You may also have multiple lines with the same VIRTPORT: when a user connects to that VIRTPORT, one of the TARGETs from those lines will be chosen at random.