mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-20 10:12:15 +01:00
Merge branch 'bug21018_024' into maint-0.2.8
This commit is contained in:
commit
c11de4c45f
11
changes/bug21018
Normal file
11
changes/bug21018
Normal file
@ -0,0 +1,11 @@
|
||||
o Major bugfixes (parsing, security):
|
||||
|
||||
- Fix a bug in parsing that could cause clients to read a single
|
||||
byte past the end of an allocated region. This bug could be
|
||||
used to cause hardened clients (built with
|
||||
--enable-expensive-hardening) to crash if they tried to visit
|
||||
a hostile hidden service. Non-hardened clients are only
|
||||
affected depending on the details of their platform's memory
|
||||
allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by
|
||||
using libFuzzer. Also tracked as TROVE-2016-12-002 and as
|
||||
CVE-2016-1254.
|
@ -915,7 +915,9 @@ rend_cache_store_v2_desc_as_client(const char *desc,
|
||||
if (n_intro_points <= 0) {
|
||||
log_warn(LD_REND, "Failed to parse introduction points. Either the "
|
||||
"service has published a corrupt descriptor or you have "
|
||||
"provided invalid authorization data.");
|
||||
"provided invalid authorization data, or (maybe!) the "
|
||||
"server is deliberately serving broken data in an attempt "
|
||||
"to crash you with bug 21018.");
|
||||
goto err;
|
||||
} else if (n_intro_points > MAX_INTRO_POINTS) {
|
||||
log_warn(LD_REND, "Found too many introduction points on a hidden "
|
||||
|
@ -4122,7 +4122,7 @@ get_next_token(memarea_t *area,
|
||||
|
||||
if (tok->tp == ERR_) {
|
||||
/* No keyword matched; call it an "K_opt" or "A_unrecognized" */
|
||||
if (**s == '@')
|
||||
if (*s < eol && **s == '@')
|
||||
tok->tp = A_UNKNOWN_;
|
||||
else
|
||||
tok->tp = K_OPT;
|
||||
@ -5171,7 +5171,7 @@ rend_decrypt_introduction_points(char **ipos_decrypted,
|
||||
crypto_cipher_free(cipher);
|
||||
|
||||
len = ipos_encrypted_size - 2 - client_entries_len - CIPHER_IV_LEN;
|
||||
dec = tor_malloc(len);
|
||||
dec = tor_malloc_zero(len + 1);
|
||||
declen = crypto_cipher_decrypt_with_iv(session_key, dec, len,
|
||||
ipos_encrypted + 2 + client_entries_len,
|
||||
ipos_encrypted_size - 2 - client_entries_len);
|
||||
@ -5203,7 +5203,7 @@ rend_decrypt_introduction_points(char **ipos_decrypted,
|
||||
"small.");
|
||||
return -1;
|
||||
}
|
||||
dec = tor_malloc_zero(ipos_encrypted_size - CIPHER_IV_LEN - 1);
|
||||
dec = tor_malloc_zero(ipos_encrypted_size - CIPHER_IV_LEN - 1 + 1);
|
||||
|
||||
declen = crypto_cipher_decrypt_with_iv(descriptor_cookie, dec,
|
||||
ipos_encrypted_size -
|
||||
|
Loading…
Reference in New Issue
Block a user