Loading changes/bug40392 0 → 100644 +4 −0 Original line number Diff line number Diff line o Major bugfixes (security, denial of service, onion services): - Fix an out-of-bounds memory access in v3 descriptor parsing. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2021-006. Reported by Sergei Glazunov from Google's Project Zero. No newline at end of file src/feature/hs/hs_descriptor.c +2 −1 Original line number Diff line number Diff line Loading @@ -137,7 +137,7 @@ static token_rule_t hs_desc_superencrypted_v3_token_table[] = { /** Descriptor ruleset for the encrypted section. */ static token_rule_t hs_desc_encrypted_v3_token_table[] = { T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ), T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ), T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, GE(1), NO_OBJ), T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ), END_OF_TABLE }; Loading Loading @@ -2322,6 +2322,7 @@ desc_decode_encrypted_v3(const hs_descriptor_t *desc, /* Authentication type. It's optional but only once. */ tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED); if (tok) { tor_assert(tok->n_args >= 1); if (!decode_auth_type(desc_encrypted_out, tok->args[0])) { log_warn(LD_REND, "Service descriptor authentication type has " "invalid entry(ies)."); Loading Loading
changes/bug40392 0 → 100644 +4 −0 Original line number Diff line number Diff line o Major bugfixes (security, denial of service, onion services): - Fix an out-of-bounds memory access in v3 descriptor parsing. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2021-006. Reported by Sergei Glazunov from Google's Project Zero. No newline at end of file
src/feature/hs/hs_descriptor.c +2 −1 Original line number Diff line number Diff line Loading @@ -137,7 +137,7 @@ static token_rule_t hs_desc_superencrypted_v3_token_table[] = { /** Descriptor ruleset for the encrypted section. */ static token_rule_t hs_desc_encrypted_v3_token_table[] = { T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ), T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ), T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, GE(1), NO_OBJ), T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ), END_OF_TABLE }; Loading Loading @@ -2322,6 +2322,7 @@ desc_decode_encrypted_v3(const hs_descriptor_t *desc, /* Authentication type. It's optional but only once. */ tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED); if (tok) { tor_assert(tok->n_args >= 1); if (!decode_auth_type(desc_encrypted_out, tok->args[0])) { log_warn(LD_REND, "Service descriptor authentication type has " "invalid entry(ies)."); Loading
