[tor-commits] [tor/maint-0.3.0] hs-v2: Remove any expiring intro from the retry list

nickm at torproject.org nickm at torproject.org
Fri Dec 1 14:06:04 UTC 2017


commit 3030741b5d24e9ae36e6d72c6a8c7d035fde9d2a
Author: David Goulet <dgoulet at torproject.org>
Date:   Tue Nov 21 10:16:08 2017 -0500

    hs-v2: Remove any expiring intro from the retry list
    
    TROVE-2017-13. Severity: High.
    
    In the unlikely case that a hidden service could be missing intro circuit(s),
    that it didn't have enough directory information to open new circuits and that
    an intro point was about to expire, a use-after-free is possible because of
    the intro point object being both in the retry list and expiring list at the
    same time.
    
    The intro object would get freed after the circuit failed to open and then
    access a second time when cleaned up from the expiring list.
    
    Fixes #24313
---
 changes/bug24313     | 5 +++++
 src/or/rendservice.c | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/changes/bug24313 b/changes/bug24313
new file mode 100644
index 000000000..b927ec3ba
--- /dev/null
+++ b/changes/bug24313
@@ -0,0 +1,5 @@
+  o Major bugfixes (security, hidden service v2):
+    - Fix a use-after-free error that could crash v2 Tor hidden services
+      when it failed to open circuits while expiring introductions
+      points. Fixes bug 24313; bugfix on 0.2.7.2-alpha.  This
+      issue is also tracked as TROVE-2017-013 and CVE-2017-8823.
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 0a5b5efd5..cbf998136 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -3444,6 +3444,10 @@ remove_invalid_intro_points(rend_service_t *service,
       log_info(LD_REND, "Expiring %s as intro point for %s.",
                safe_str_client(extend_info_describe(intro->extend_info)),
                safe_str_client(service->service_id));
+      /* We might have put it in the retry list if so, undo. */
+      if (retry_nodes) {
+        smartlist_remove(retry_nodes, intro);
+      }
       smartlist_add(service->expiring_nodes, intro);
       SMARTLIST_DEL_CURRENT(service->intro_nodes, intro);
       /* Intro point is expired, we need a new one thus don't consider it





More information about the tor-commits mailing list