mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-20 10:12:15 +01:00
2b27ce52d2
The length of auth_data from an INTRODUCE2 cell is checked when the auth_type is recognized (1 or 2), but not for any other non-zero auth_type. Later, auth_data is assumed to have at least REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds read. Fixed by checking auth_len before comparing the descriptor cookie against known clients. Fixes #15823; bugfix on 0.2.1.6-alpha.
5 lines
200 B
Plaintext
5 lines
200 B
Plaintext
o Minor bugfixes (hidden service):
|
|
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells
|
|
on a client authorized hidden service. Fixes bug 15823; bugfix
|
|
on 0.2.1.6-alpha.
|