mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
Fix an uninitialized-read when parsing v3 introduction requests.
Fortunately, later checks mean that uninitialized data can't get sent to the network by this bug. Unfortunately, reading uninitialized heap *can* (in some cases, with some allocators) cause a crash if you get unlucky and go off the end of a page. Found by asn. Bugfix on 0.2.4.1-alpha.
This commit is contained in:
parent
0a0f93d277
commit
d5cfbf96a2
8
changes/v3_intro_len
Normal file
8
changes/v3_intro_len
Normal file
@ -0,0 +1,8 @@
|
||||
o Major bugfixes:
|
||||
|
||||
- Fix an uninitialized read that could (in some cases) lead to a remote
|
||||
crash while parsing INTRODUCE 1 cells. (This is, so far as we know,
|
||||
unrelated to the recent news.) Fixes bug XXX; bugfix on
|
||||
0.2.4.1-alpha. Anybody running a hidden service on the experimental
|
||||
0.2.4.x branch should upgrade.
|
||||
|
@ -1898,8 +1898,8 @@ rend_service_parse_intro_for_v3(
|
||||
}
|
||||
}
|
||||
|
||||
/* Check that we actually have everything up to the timestamp */
|
||||
if (plaintext_len < (size_t)(ts_offset)) {
|
||||
/* Check that we actually have everything up through the timestamp */
|
||||
if (plaintext_len < (size_t)(ts_offset)+4) {
|
||||
if (err_msg_out) {
|
||||
tor_asprintf(err_msg_out,
|
||||
"truncated plaintext of encrypted parted of "
|
||||
@ -1922,12 +1922,6 @@ rend_service_parse_intro_for_v3(
|
||||
memcpy(intro->u.v3.auth_data, buf + 4, intro->u.v3.auth_len);
|
||||
}
|
||||
|
||||
/*
|
||||
* Apparently we don't use the timestamp any more, but might as well copy
|
||||
* over just in case we ever care about it.
|
||||
*/
|
||||
intro->u.v3.timestamp = ntohl(get_uint32(buf + ts_offset));
|
||||
|
||||
/*
|
||||
* From here on, the format is as in v2, so we call the v2 parser with
|
||||
* adjusted buffer and length. We are 4 + ts_offset octets in, but the
|
||||
|
@ -56,8 +56,6 @@ struct rend_intro_cell_s {
|
||||
uint16_t auth_len;
|
||||
/* Auth data */
|
||||
uint8_t *auth_data;
|
||||
/* timestamp */
|
||||
uint32_t timestamp;
|
||||
/* Rendezvous point's IP address/port, identity digest and onion key */
|
||||
extend_info_t *extend_info;
|
||||
} v3;
|
||||
|
Loading…
Reference in New Issue
Block a user