mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
Fix TROVE-2021-006: Out-of-bounds read on v3 desc parsing
This commit is contained in:
parent
adb248b6d6
commit
f57b5c48e0
4
changes/bug40392
Normal file
4
changes/bug40392
Normal file
@ -0,0 +1,4 @@
|
||||
o Major bugfixes (security, denial of service, onion services):
|
||||
- Fix an out-of-bounds memory access in v3 descriptor parsing. Fixes bug
|
||||
40392; bugfix on 0.3.0.1-alpha. This issue is also tracked as
|
||||
TROVE-2021-006. Reported by Sergei Glazunov from Google's Project Zero.
|
@ -135,7 +135,7 @@ static token_rule_t hs_desc_superencrypted_v3_token_table[] = {
|
||||
/* Descriptor ruleset for the encrypted section. */
|
||||
static token_rule_t hs_desc_encrypted_v3_token_table[] = {
|
||||
T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
|
||||
T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ),
|
||||
T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, GE(1), NO_OBJ),
|
||||
T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
|
||||
END_OF_TABLE
|
||||
};
|
||||
@ -2312,6 +2312,7 @@ desc_decode_encrypted_v3(const hs_descriptor_t *desc,
|
||||
/* Authentication type. It's optional but only once. */
|
||||
tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED);
|
||||
if (tok) {
|
||||
tor_assert(tok->n_args >= 1);
|
||||
if (!decode_auth_type(desc_encrypted_out, tok->args[0])) {
|
||||
log_warn(LD_REND, "Service descriptor authentication type has "
|
||||
"invalid entry(ies).");
|
||||
|
Loading…
Reference in New Issue
Block a user