[tor-bugs] #15823 [Tor]: Out-of-bounds read in INTRODUCE2 with client authorization
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Apr 26 04:51:31 UTC 2015
#15823: Out-of-bounds read in INTRODUCE2 with client authorization
---------------------+------------------------------------
Reporter: special | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version:
Keywords: tor-hs | Actual Points:
Parent ID: | Points:
---------------------+------------------------------------
An authorized hidden service client can cause an out-of-bounds read on a
service with authorization enabled, of at most 15 bytes off the end of a
malloc'd segment. The client must have a valid authorization cookie. There
is no disclosure of uninitialized memory, except in an info-level log
message, but there is a small chance of a crash.
In rend_check_authorization, the descriptor_cookie from the INTRODUCE2
cell is assumed to be REND_DESC_COOKIE_LEN bytes. This is checked earlier
when the auth_type is 1 or 2, but not for any other non-zero auth_type.
There is a warning about unknown auth types in
rend_service_validate_intro_late, but no error.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15823>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list