[tor-commits] [tor/maint-0.2.4] Fix an uninitialized-read when parsing v3 introduction requests.

arma at torproject.org arma at torproject.org
Sat Aug 10 22:01:04 UTC 2013


commit d5cfbf96a2dbbee4501da92d5a21d0c66732ae24
Author: Nick Mathewson <nickm at torproject.org>
Date:   Mon Aug 5 11:40:33 2013 -0400

    Fix an uninitialized-read when parsing v3 introduction requests.
    
    Fortunately, later checks mean that uninitialized data can't get sent
    to the network by this bug.  Unfortunately, reading uninitialized heap
    *can* (in some cases, with some allocators) cause a crash if you get
    unlucky and go off the end of a page.
    
    Found by asn.  Bugfix on 0.2.4.1-alpha.
---
 changes/v3_intro_len |    8 ++++++++
 src/or/rendservice.c |   10 ++--------
 src/or/rendservice.h |    2 --
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/changes/v3_intro_len b/changes/v3_intro_len
new file mode 100644
index 0000000..fbe39bc
--- /dev/null
+++ b/changes/v3_intro_len
@@ -0,0 +1,8 @@
+  o Major bugfixes:
+
+    - Fix an uninitialized read that could (in some cases) lead to a remote
+      crash while parsing INTRODUCE 1 cells. (This is, so far as we know,
+      unrelated to the recent news.)  Fixes bug XXX; bugfix on
+      0.2.4.1-alpha. Anybody running a hidden service on the experimental
+      0.2.4.x branch should upgrade.
+
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index a8f63dd..00bca17 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -1898,8 +1898,8 @@ rend_service_parse_intro_for_v3(
       }
   }
 
-  /* Check that we actually have everything up to the timestamp */
-  if (plaintext_len < (size_t)(ts_offset)) {
+  /* Check that we actually have everything up through the timestamp */
+  if (plaintext_len < (size_t)(ts_offset)+4) {
     if (err_msg_out) {
       tor_asprintf(err_msg_out,
                    "truncated plaintext of encrypted parted of "
@@ -1923,12 +1923,6 @@ rend_service_parse_intro_for_v3(
   }
 
   /*
-   * Apparently we don't use the timestamp any more, but might as well copy
-   * over just in case we ever care about it.
-   */
-  intro->u.v3.timestamp = ntohl(get_uint32(buf + ts_offset));
-
-  /*
    * From here on, the format is as in v2, so we call the v2 parser with
    * adjusted buffer and length.  We are 4 + ts_offset octets in, but the
    * v2 parser expects to skip over a version byte at the start, so we
diff --git a/src/or/rendservice.h b/src/or/rendservice.h
index ff31ba6..caf88a3 100644
--- a/src/or/rendservice.h
+++ b/src/or/rendservice.h
@@ -56,8 +56,6 @@ struct rend_intro_cell_s {
       uint16_t auth_len;
       /* Auth data */
       uint8_t *auth_data;
-      /* timestamp */
-      uint32_t timestamp;
       /* Rendezvous point's IP address/port, identity digest and onion key */
       extend_info_t *extend_info;
     } v3;



More information about the tor-commits mailing list