| commit | 053e11f397f3f890c52a1add6aa4e75a9178eba0 | |
| author | John Brooks <john.brooks@dereferenced.net> | |
| Sun, 26 Apr 2015 04:52:35 +0000 (25 22:52 -0600) | ||
| committer | Nick Mathewson <nickm@torproject.org> | |
| Tue, 7 Feb 2017 13:31:37 +0000 (7 08:31 -0500) | ||
| tree | 686f329f0d76239a414ce800c3921b2cd280eb52 | treesnapshot (tar.gz zip) |
| parent | 3833f67dd2dc35dbcfe1d5659c885f0b5f54125b | commitdiff |
Fix out-of-bounds read in INTRODUCE2 client auth
The length of auth_data from an INTRODUCE2 cell is checked when the
auth_type is recognized (1 or 2), but not for any other non-zero
auth_type. Later, auth_data is assumed to have at least
REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds
read.
Fixed by checking auth_len before comparing the descriptor cookie
against known clients.
Fixes #15823; bugfix on 0.2.1.6-alpha.
The length of auth_data from an INTRODUCE2 cell is checked when the
auth_type is recognized (1 or 2), but not for any other non-zero
auth_type. Later, auth_data is assumed to have at least
REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds
read.
Fixed by checking auth_len before comparing the descriptor cookie
against known clients.
Fixes #15823; bugfix on 0.2.1.6-alpha.
| changes/bug15823 | [new file with mode: 0644] | blob |
| src/or/rendservice.c | diffblobblamehistory |