From 49ddd92c115c6943c4602d44f52c22b6f47698e8 Mon Sep 17 00:00:00 2001 From: Yawning Angel Date: Mon, 30 Mar 2015 21:53:39 +0000 Subject: [PATCH 1/4] Validate the RSA key size received when parsing INTRODUCE2 cells. Fixes bug 15600; reported by skruffy --- changes/bug15600 | 5 +++++ src/or/rendservice.c | 10 ++++++++++ 2 files changed, 15 insertions(+) create mode 100644 changes/bug15600 diff --git a/changes/bug15600 b/changes/bug15600 new file mode 100644 index 000000000..ee1d6cfe1 --- /dev/null +++ b/changes/bug15600 @@ -0,0 +1,5 @@ + o Major bugfixes (security, hidden service): + - Fix an issue that would allow a malicious client to trigger + an assertion failure and halt a hidden service. Fixes + bug 15600; bugfix on 0.2.1.6-alpha. Reported by "skruffy". + diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 8a4a11e47..436f2f4b6 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1810,6 +1810,16 @@ rend_service_parse_intro_for_v2( goto err; } + if (128 != crypto_pk_keysize(extend_info->onion_key)) { + if (err_msg_out) { + tor_asprintf(err_msg_out, + "invalid onion key size in version %d INTRODUCE%d cell", + intro->version, + (intro->type)); + } + + goto err; + } ver_specific_len = 7+DIGEST_LEN+2+klen; From 7b5f558da4542ecce992a8bdb65851fd4a1713bc Mon Sep 17 00:00:00 2001 From: Yawning Angel Date: Thu, 2 Apr 2015 12:36:19 +0000 Subject: [PATCH 2/4] Treat empty introduction points sections as missing. Found by DonnchaC. --- src/or/rendcommon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c index d1b49411c..d1f8b1af9 100644 --- a/src/or/rendcommon.c +++ b/src/or/rendcommon.c @@ -1301,7 +1301,7 @@ rend_cache_store_v2_desc_as_client(const char *desc, goto err; } /* Decode/decrypt introduction points. */ - if (intro_content) { + if (intro_content && intro_size > 0) { int n_intro_points; if (rend_query->auth_type != REND_NO_AUTH && !tor_mem_is_zero(rend_query->descriptor_cookie, From dc3cb0008085d173800724304573dc4ed341c793 Mon Sep 17 00:00:00 2001 From: Yawning Angel Date: Thu, 2 Apr 2015 12:42:06 +0000 Subject: [PATCH 3/4] Handle empty/zero length encoded intro points more gracefully. In theory these should never the triggered as the only caller now validates the parameters before this routine gets called. --- src/or/routerparse.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 01f65f262..176c16f90 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4928,7 +4928,7 @@ rend_parse_introduction_points(rend_service_descriptor_t *parsed, size_t intro_points_encoded_size) { const char *current_ipo, *end_of_intro_points; - smartlist_t *tokens; + smartlist_t *tokens = NULL; directory_token_t *tok; rend_intro_point_t *intro; extend_info_t *info; @@ -4937,8 +4937,10 @@ rend_parse_introduction_points(rend_service_descriptor_t *parsed, tor_assert(parsed); /** Function may only be invoked once. */ tor_assert(!parsed->intro_nodes); - tor_assert(intro_points_encoded); - tor_assert(intro_points_encoded_size > 0); + if (!intro_points_encoded || intro_points_encoded_size == 0) { + log_warn(LD_REND, "Empty or zero size introduction point list"); + goto err; + } /* Consider one intro point after the other. */ current_ipo = intro_points_encoded; end_of_intro_points = intro_points_encoded + intro_points_encoded_size; @@ -5042,8 +5044,10 @@ rend_parse_introduction_points(rend_service_descriptor_t *parsed, done: /* Free tokens and clear token list. */ - SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t)); - smartlist_free(tokens); + if (tokens) { + SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t)); + smartlist_free(tokens); + } if (area) memarea_drop_all(area); From 7451b4cafededa95da0099ea2444224d941eef52 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 6 Apr 2015 09:24:16 -0400 Subject: [PATCH 4/4] Changes file for bug15601 --- changes/bug15601 | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 changes/bug15601 diff --git a/changes/bug15601 b/changes/bug15601 new file mode 100644 index 000000000..2cc880af7 --- /dev/null +++ b/changes/bug15601 @@ -0,0 +1,4 @@ + o Major bugfixes (security, hidden service): + - Fix a bug that could cause a client to crash with an assertion + failure when parsing a malformed hidden service descriptor. + Fixes bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnCha".