[tor-bugs] #5644 [- Select a component]: rend_service_introduce() asserts circuit->rend_data before checking for proto violation
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Apr 18 21:48:48 UTC 2012
#5644: rend_service_introduce() asserts circuit->rend_data before checking for
proto violation
----------------------------------+-----------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: - Select a component | Version:
Keywords: | Parent: #5643
Points: | Actualpoints:
----------------------------------+-----------------------------------------
{{{
...
#ifndef NON_ANONYMOUS_MODE_ENABLED
tor_assert(!(circuit->build_state->onehop_tunnel));
#endif
tor_assert(circuit->rend_data);
base32_encode(serviceid, REND_SERVICE_ID_LEN_BASE32+1,
circuit->rend_data->rend_pk_digest, REND_SERVICE_ID_LEN);
log_info(LD_REND, "Received INTRODUCE2 cell for service %s on circ %d.",
escaped(serviceid), circuit->_base.n_circ_id);
if (circuit->_base.purpose != CIRCUIT_PURPOSE_S_INTRO) {
log_warn(LD_PROTOCOL,
"Got an INTRODUCE2 over a non-introduction circuit %d.",
circuit->_base.n_circ_id);
return -1;
}
}}}
A bad exit might be able to exploit this by sending a
`RELAY_COMMAND_INTRODUCE2` cell to a client (through a
`CIRCUIT_PURPOSE_C_GENERAL` circuit) and triggering
`tor_assert(circuit->rend_data);`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5644>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list