From d5cfbf96a2dbbee4501da92d5a21d0c66732ae24 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 5 Aug 2013 11:40:33 -0400 Subject: [PATCH] Fix an uninitialized-read when parsing v3 introduction requests. Fortunately, later checks mean that uninitialized data can't get sent to the network by this bug. Unfortunately, reading uninitialized heap *can* (in some cases, with some allocators) cause a crash if you get unlucky and go off the end of a page. Found by asn. Bugfix on 0.2.4.1-alpha. --- changes/v3_intro_len | 8 ++++++++ src/or/rendservice.c | 10 ++-------- src/or/rendservice.h | 2 -- 3 files changed, 10 insertions(+), 10 deletions(-) create mode 100644 changes/v3_intro_len diff --git a/changes/v3_intro_len b/changes/v3_intro_len new file mode 100644 index 000000000..fbe39bce3 --- /dev/null +++ b/changes/v3_intro_len @@ -0,0 +1,8 @@ + o Major bugfixes: + + - Fix an uninitialized read that could (in some cases) lead to a remote + crash while parsing INTRODUCE 1 cells. (This is, so far as we know, + unrelated to the recent news.) Fixes bug XXX; bugfix on + 0.2.4.1-alpha. Anybody running a hidden service on the experimental + 0.2.4.x branch should upgrade. + diff --git a/src/or/rendservice.c b/src/or/rendservice.c index a8f63ddf6..00bca17d4 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1898,8 +1898,8 @@ rend_service_parse_intro_for_v3( } } - /* Check that we actually have everything up to the timestamp */ - if (plaintext_len < (size_t)(ts_offset)) { + /* Check that we actually have everything up through the timestamp */ + if (plaintext_len < (size_t)(ts_offset)+4) { if (err_msg_out) { tor_asprintf(err_msg_out, "truncated plaintext of encrypted parted of " @@ -1922,12 +1922,6 @@ rend_service_parse_intro_for_v3( memcpy(intro->u.v3.auth_data, buf + 4, intro->u.v3.auth_len); } - /* - * Apparently we don't use the timestamp any more, but might as well copy - * over just in case we ever care about it. - */ - intro->u.v3.timestamp = ntohl(get_uint32(buf + ts_offset)); - /* * From here on, the format is as in v2, so we call the v2 parser with * adjusted buffer and length. We are 4 + ts_offset octets in, but the diff --git a/src/or/rendservice.h b/src/or/rendservice.h index ff31ba6ed..caf88a3d6 100644 --- a/src/or/rendservice.h +++ b/src/or/rendservice.h @@ -56,8 +56,6 @@ struct rend_intro_cell_s { uint16_t auth_len; /* Auth data */ uint8_t *auth_data; - /* timestamp */ - uint32_t timestamp; /* Rendezvous point's IP address/port, identity digest and onion key */ extend_info_t *extend_info; } v3;