sarah/tor - tor - Open Privacy Gitea

Commit Graph

Author	SHA1	Message	Date
John Brooks	2b27ce52d2	Fix out-of-bounds read in INTRODUCE2 client auth The length of auth_data from an INTRODUCE2 cell is checked when the auth_type is recognized (1 or 2), but not for any other non-zero auth_type. Later, auth_data is assumed to have at least REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds read. Fixed by checking auth_len before comparing the descriptor cookie against known clients. Fixes #15823; bugfix on 0.2.1.6-alpha.	2015-05-05 15:05:32 -04:00

Author

SHA1

Message

Date

John Brooks

2b27ce52d2

Fix out-of-bounds read in INTRODUCE2 client auth

The length of auth_data from an INTRODUCE2 cell is checked when the
auth_type is recognized (1 or 2), but not for any other non-zero
auth_type. Later, auth_data is assumed to have at least
REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds
read.

Fixed by checking auth_len before comparing the descriptor cookie
against known clients.

Fixes #15823; bugfix on 0.2.1.6-alpha.

2015-05-05 15:05:32 -04:00

1 Commits