Commit Graph

21087 Commits

Author SHA1 Message Date
Nick Mathewson
6cd6d488dc Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-07-05 13:42:37 -04:00
Nick Mathewson
f6420bceec Merge branch 'maint-0.2.5' into maint-0.2.6 2017-07-05 13:42:32 -04:00
Nick Mathewson
ff8c230d7c Merge branch 'maint-0.2.4' into maint-0.2.5 2017-07-05 13:42:26 -04:00
Nick Mathewson
0ee15c92d5 Merge branch 'bug22789_024' into maint-0.2.4 2017-07-05 13:41:27 -04:00
Nick Mathewson
bb3f74e66b Fix assertion failure related to openbsd strtol().
Fixes bug 22789; bugfix on 0.2.3.8-alpha.
2017-07-03 11:22:27 -04:00
Nick Mathewson
9a0fd2dbb1 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-27 11:04:44 -04:00
Nick Mathewson
3de27618e6 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-06-27 11:04:44 -04:00
Nick Mathewson
ccae991662 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-27 11:04:44 -04:00
Nick Mathewson
d56f699399 Merge branch 'bug22737_024' into maint-0.2.4 2017-06-27 11:04:41 -04:00
Nick Mathewson
8d2978b13c Fix an errant memset() into the middle of a struct in cell_pack().
This mistake causes two possible bugs. I believe they are both
harmless IRL.

BUG 1: memory stomping

When we call the memset, we are overwriting two 0 bytes past the end
of packed_cell_t.body. But I think that's harmless in practice,
because the definition of packed_cell_t is:

// ...
typedef struct packed_cell_t {
  TOR_SIMPLEQ_ENTRY(packed_cell_t) next;
  char body[CELL_MAX_NETWORK_SIZE];
  uint32_t inserted_time;
} packed_cell_t;

So we will overwrite either two bytes of inserted_time, or two bytes
of padding, depending on how the platform handles alignment.

If we're overwriting padding, that's safe.

If we are overwriting the inserted_time field, that's also safe: In
every case where we call cell_pack() from connection_or.c, we ignore
the inserted_time field. When we call cell_pack() from relay.c, we
don't set or use inserted_time until right after we have called
cell_pack(). SO I believe we're safe in that case too.

BUG 2: memory exposure

The original reason for this memset was to avoid the possibility of
accidentally leaking uninitialized ram to the network. Now
remember, if wide_circ_ids is false on a connection, we shouldn't
actually be sending more than 512 bytes of packed_cell_t.body, so
these two bytes can only leak to the network if there is another bug
somewhere else in the code that sends more data than is correct.

Fortunately, in relay.c, where we allocate packed_cell_t in
packed_cell_new() , we allocate it with tor_malloc_zero(), which
clears the RAM, right before we call cell_pack. So those
packed_cell_t.body bytes can't leak any information.

That leaves the two calls to cell_pack() in connection_or.c, which
use stack-alocated packed_cell_t instances.

In or_handshake_state_record_cell(), we pass the cell's contents to
crypto_digest_add_bytes(). When we do so, we get the number of
bytes to pass using the same setting of wide_circ_ids as we passed
to cell_pack(). So I believe that's safe.

In connection_or_write_cell_to_buf(), we also use the same setting
of wide_circ_ids in both calls. So I believe that's safe too.

I introduced this bug with 1c0e87f6d8
back in 0.2.4.11-alpha; it is bug 22737 and CID 1401591
2017-06-27 10:47:20 -04:00
Nick Mathewson
24ee8595bf Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-09 09:58:45 -04:00
Nick Mathewson
3913f959e3 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-06-09 09:58:45 -04:00
Nick Mathewson
325c507a09 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-09 09:58:45 -04:00
Karsten Loesing
104e8fa751 Update geoip and geoip6 to the June 8 2017 database. 2017-06-09 15:47:49 +02:00
Nick Mathewson
2f6be06f6a Merge branch 'maint-0.2.6' into maint-0.2.7-redux
"ours" merge to avoid version bump.
2017-06-08 14:06:06 -04:00
Nick Mathewson
eb92d11f53 Merge branch 'maint-0.2.5' into maint-0.2.6
"ours" merge to avoid version bump.
2017-06-08 14:05:59 -04:00
Nick Mathewson
1a7af7470f Merge branch 'maint-0.2.4' into maint-0.2.5
"ours" merge to avoid version bump.
2017-06-08 14:05:37 -04:00
Nick Mathewson
44c8cb986d Add -dev to version number. 2017-06-08 14:05:18 -04:00
Nick Mathewson
95a88f7283 Add -dev to version number. 2017-06-08 14:05:16 -04:00
Nick Mathewson
f3804f5999 Add -dev to version number. 2017-06-08 14:05:13 -04:00
Nick Mathewson
ec3ce773ad Add -dev to version number. 2017-06-08 14:05:08 -04:00
Nick Mathewson
4915d9c5a7 Merge branch 'maint-0.2.6' into maint-0.2.7-redux
"ours" merge to avoid version bump.
2017-06-08 09:28:54 -04:00
Nick Mathewson
b796ad0300 Merge branch 'maint-0.2.5' into maint-0.2.6
"ours" merge to avoid version bump.
2017-06-08 09:28:29 -04:00
Nick Mathewson
77c5d8c738 Merge branch 'maint-0.2.4' into maint-0.2.5
"ours" merge to avoid version bump.
2017-06-08 09:28:11 -04:00
Nick Mathewson
2efe0275bc Bump to 0.2.7.8 2017-06-08 09:27:34 -04:00
Nick Mathewson
0de4620375 Bump to 0.2.6.12 2017-06-08 09:26:20 -04:00
Nick Mathewson
fa73f59ad3 bump to 0.2.5.14 2017-06-08 09:26:00 -04:00
Nick Mathewson
8e439a66f3 Bump to 0.2.4.29 2017-06-08 09:25:31 -04:00
Nick Mathewson
c1646d6e89 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-08 09:21:15 -04:00
Nick Mathewson
40bccc2004 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-06-08 09:21:15 -04:00
Nick Mathewson
dec7998f5c Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-08 09:21:15 -04:00
David Goulet
56a7c5bc15 TROVE-2017-005: Fix assertion failure in connection_edge_process_relay_cell
On an hidden service rendezvous circuit, a BEGIN_DIR could be sent
(maliciously) which would trigger a tor_assert() because
connection_edge_process_relay_cell() thought that the circuit is an
or_circuit_t but is an origin circuit in reality.

Fixes #22494

Reported-by: Roger Dingledine <arma@torproject.org>
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-06-08 09:21:10 -04:00
Nick Mathewson
9a6f938582 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-05 14:48:30 -04:00
Nick Mathewson
a56cfdaba2 Merge branch 'maint-0.2.5' into maint-0.2.6
Ours merge to avoid taking 4ee48cb434
2017-06-05 14:39:06 -04:00
Nick Mathewson
2e5220cb8b Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-05 14:38:54 -04:00
Nick Mathewson
4ee48cb434 Fix C89 warning (since Tor 0.2.4-5 still care about that.) 2017-06-05 14:38:38 -04:00
Nick Mathewson
3f2d1f7f07 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-05 12:00:41 -04:00
Nick Mathewson
9ea3d0877a Merge branch 'maint-0.2.5' into maint-0.2.6 2017-06-05 12:00:27 -04:00
Nick Mathewson
1a540b5792 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-05 12:00:08 -04:00
Nick Mathewson
e3ebae4804 Fix undefined behavior in geoip_parse_entry().
Fixes bug 22490; bugfix on 6a241ff3ff in 0.2.4.6-alpha.

Found by teor using clang-5.0's AddressSanitizer stack-use-after-scope.
2017-06-05 10:09:39 -04:00
Nick Mathewson
71dd1d716a Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-05-08 08:07:11 -04:00
Nick Mathewson
159ddf6dde Merge branch 'maint-0.2.5' into maint-0.2.6 2017-05-08 08:07:04 -04:00
Nick Mathewson
68d6720452 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-05-08 08:06:59 -04:00
Karsten Loesing
5207e41ffe Update geoip and geoip6 to the May 2 2017 database. 2017-05-08 10:09:42 +02:00
Nick Mathewson
44bc8821b1 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-04-06 08:31:23 -04:00
Nick Mathewson
21d776738c Merge branch 'maint-0.2.5' into maint-0.2.6 2017-04-06 08:31:18 -04:00
Nick Mathewson
a8a860e1da Merge branch 'maint-0.2.4' into maint-0.2.5 2017-04-06 08:31:12 -04:00
Karsten Loesing
9d7933296c Update geoip and geoip6 to the April 4 2017 database. 2017-04-06 10:52:39 +02:00
Nick Mathewson
25c28bc2d9 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-03-08 10:11:05 -05:00
Nick Mathewson
ecc73c3c03 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-03-08 10:10:44 -05:00