[tor-bugs] #6797 [Tor Directory Authority]: dirserv_generate_networkstatus_vote_obj() might dereference NULL
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Mon Sep 10 09:10:50 UTC 2012
#6797: dirserv_generate_networkstatus_vote_obj() might dereference NULL
-------------------------------------+--------------------------------------
Reporter: ln5 | Owner: ln5
Type: defect | Status: needs_review
Priority: major | Milestone:
Component: Tor Directory Authority | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------------------+--------------------------------------
Comment(by ln5):
dirvote_create_microdescriptor() returns NULL if either of
1. crypto_pk_write_public_key_to_string(ri->onion_pkey, &key, &keylen)
returns < 0
2. microdescs_parse_from_string() returns a list with length != 1
Case 1 happens if either of
a) BIO_new(BIO_s_mem()) returns != 0
b) PEM_write_bio_RSAPublicKey(b, env->key) returns != 0
Case 2 happens if either of
a) we have produced md text that we cannot parse (tokenize_string() -> !=
0)
b) there's more than one (proper) md in the input (no)
c) bad time in "@last-listed" (no)
d) invalid exponent in "onion-key" (crypto_pk_public_exponent_ok() -> 0)
e) illegal nickname in "family" (is_legal_nickname_or_hexdigest() -> 0)
I can not see how case 1 would be triggered remotely.
I think that case 2 is possible to trigger if you can get a
routerinfo_t with an invalid onion-key or nickname into the routerlist
of a dir auth. That seems tricky though. Routers from "r" lines are
protected by router_parse_entry_from_string(), using the same
verification functions as mentioned above.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6797#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list