sarah
/
tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'origin/maint-0.2.4' into release-0.2.4

This commit is contained in:
Nick Mathewson 2015-04-06 09:31:30 -04:00
parent 44b48a9b67 7451b4cafe
commit da8505205d
5 changed files with 29 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
changes/bug15600 Normal file
View File

@ -0,0 +1,5 @@
o Major bugfixes (security, hidden service):
- Fix an issue that would allow a malicious client to trigger
an assertion failure and halt a hidden service. Fixes
bug 15600; bugfix on 0.2.1.6-alpha. Reported by "skruffy".

4
changes/bug15601 Normal file
View File

@ -0,0 +1,4 @@
o Major bugfixes (security, hidden service):
- Fix a bug that could cause a client to crash with an assertion
failure when parsing a malformed hidden service descriptor.
Fixes bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnCha".

2
src/or/rendcommon.c
View File

@ -1301,7 +1301,7 @@ rend_cache_store_v2_desc_as_client(const char *desc,
goto err; goto err;
} }
/* Decode/decrypt introduction points. */ /* Decode/decrypt introduction points. */
if (intro_content) { if (intro_content && intro_size > 0) {
int n_intro_points; int n_intro_points;
if (rend_query->auth_type != REND_NO_AUTH && if (rend_query->auth_type != REND_NO_AUTH &&
!tor_mem_is_zero(rend_query->descriptor_cookie, !tor_mem_is_zero(rend_query->descriptor_cookie,

10
src/or/rendservice.c
View File

@ -1810,6 +1810,16 @@ rend_service_parse_intro_for_v2(
goto err; goto err;
} }
if (128 != crypto_pk_keysize(extend_info->onion_key)) {
if (err_msg_out) {
tor_asprintf(err_msg_out,
"invalid onion key size in version %d INTRODUCE%d cell",
intro->version,
(intro->type));
}
goto err;
}
ver_specific_len = 7+DIGEST_LEN+2+klen; ver_specific_len = 7+DIGEST_LEN+2+klen;

14
src/or/routerparse.c
View File

@ -4928,7 +4928,7 @@ rend_parse_introduction_points(rend_service_descriptor_t *parsed,
size_t intro_points_encoded_size) size_t intro_points_encoded_size)
{ {
const char *current_ipo, *end_of_intro_points; const char *current_ipo, *end_of_intro_points;
smartlist_t *tokens; smartlist_t *tokens = NULL;
directory_token_t *tok; directory_token_t *tok;
rend_intro_point_t *intro; rend_intro_point_t *intro;
extend_info_t *info; extend_info_t *info;
@ -4937,8 +4937,10 @@ rend_parse_introduction_points(rend_service_descriptor_t *parsed,
tor_assert(parsed); tor_assert(parsed);
/** Function may only be invoked once. */ /** Function may only be invoked once. */
tor_assert(!parsed->intro_nodes); tor_assert(!parsed->intro_nodes);
tor_assert(intro_points_encoded); if (!intro_points_encoded || intro_points_encoded_size == 0) {
tor_assert(intro_points_encoded_size > 0); log_warn(LD_REND, "Empty or zero size introduction point list");
goto err;
}
/* Consider one intro point after the other. */ /* Consider one intro point after the other. */
current_ipo = intro_points_encoded; current_ipo = intro_points_encoded;
end_of_intro_points = intro_points_encoded + intro_points_encoded_size; end_of_intro_points = intro_points_encoded + intro_points_encoded_size;
@ -5042,8 +5044,10 @@ rend_parse_introduction_points(rend_service_descriptor_t *parsed,
done: done:
/* Free tokens and clear token list. */ /* Free tokens and clear token list. */
SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t)); if (tokens) {
smartlist_free(tokens); SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
smartlist_free(tokens);
}
if (area) if (area)
memarea_drop_all(area); memarea_drop_all(area);