Fix a remote denial of service bug, torbug#20384, TROVE-2016-001.

Also update the authority set.

Fix a remote denial of service bug, torbug#20384, TROVE-2016-001.
00bf2bab · Peter Palfrader · dd0682ff · 00bf2bab · 00bf2bab · 00bf2bab
Commit 00bf2bab authored 8 years ago by Peter Palfrader
--- a/debian/changelog
+++ b/debian/changelog
+tor (0.2.4.27-2) wheezy-security; urgency=medium
+
+  * Fix a remote denial of service bug, torbug#20384, TROVE-2016-001.
+  * Update the set of authority directory servers to the one from
+    Tor 0.2.8.7, released in August 2016.  This updates the key
+    for dannenberg, replaces the Tonga bridge authority with Bifroest,
+    and drops urras.
+
+ -- Peter Palfrader <weasel@debian.org>  Tue, 18 Oct 2016 09:40:24 +0200
+
 tor (0.2.4.27-1) wheezy-security; urgency=medium

  * New upstream version, fixing hidden service related Denial of

--- a/debian/patches/series
+++ b/debian/patches/series
 improve-geoip-warning
 torrc-revert-to-0.2.3.x-tree
+update-authority-set
+tor-bug-20384-TROVE-2016-10-001
--- a/debian/patches/tor-bug-20384-TROVE-2016-10-001
+++ b/debian/patches/tor-bug-20384-TROVE-2016-10-001
+From 73b127e7a2c747cd3c5d9aa6c0e0801b86a1a945 Mon Sep 17 00:00:00 2001
+From: Nick Mathewson <nickm@torproject.org>
+Date: Fri, 14 Oct 2016 09:38:12 -0400
+Subject: [PATCH] Add a one-word sentinel value of 0x0 at the end of each buf_t
+ chunk
+
+This helps protect against bugs where any part of a buf_t's memory
+is passed to a function that expects a NUL-terminated input.
+---
+ src/or/buffers.c | 31 ++++++++++++++++++++++++++++---
+ 1 file changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/src/or/buffers.c b/src/or/buffers.c
+index ab3346d9b7b8cb..e2e59eb6804c87 100644
+--- a/src/or/buffers.c
+++ b/src/or/buffers.c
+@@ -75,12 +75,33 @@ typedef struct chunk_t {
+ 
+ #define CHUNK_HEADER_LEN STRUCT_OFFSET(chunk_t, mem[0])
+ 
+/* We leave this many NUL bytes at the end of the buffer. */
+#define SENTINEL_LEN 4
+
+/* Header size plus NUL bytes at the end */
+#define CHUNK_OVERHEAD (CHUNK_HEADER_LEN + SENTINEL_LEN)
+
+ /** Return the number of bytes needed to allocate a chunk to hold
+  * <b>memlen</b> bytes. */
+-#define CHUNK_ALLOC_SIZE(memlen) (CHUNK_HEADER_LEN + (memlen))
+#define CHUNK_ALLOC_SIZE(memlen) (CHUNK_OVERHEAD + (memlen))
+ /** Return the number of usable bytes in a chunk allocated with
+  * malloc(<b>memlen</b>). */
+-#define CHUNK_SIZE_WITH_ALLOC(memlen) ((memlen) - CHUNK_HEADER_LEN)
+#define CHUNK_SIZE_WITH_ALLOC(memlen) ((memlen) - CHUNK_OVERHEAD)
+
+#define DEBUG_SENTINEL
+
+#ifdef DEBUG_SENTINEL
+#define DBG_S(s) s
+#else
+#define DBG_S(s) (void)0
+#endif
+
+#define CHUNK_SET_SENTINEL(chunk, alloclen) do {                        \
+    uint8_t *a = (uint8_t*) &(chunk)->mem[(chunk)->memlen];             \
+    DBG_S(uint8_t *b = &((uint8_t*)(chunk))[(alloclen)-SENTINEL_LEN]);  \
+    DBG_S(tor_assert(a == b));                                          \
+    memset(a,0,SENTINEL_LEN);                                           \
+  } while (0)
+ 
+ /** Return the next character in <b>chunk</b> onto which data can be appended.
+  * If the chunk is full, this might be off the end of chunk->mem. */
+@@ -204,6 +225,7 @@ chunk_new_with_alloc_size(size_t alloc)
+   ch->datalen = 0;
+   ch->memlen = CHUNK_SIZE_WITH_ALLOC(alloc);
+   ch->data = &ch->mem[0];
+  CHUNK_SET_SENTINEL(ch, alloc);
+   return ch;
+ }
+ #else
+@@ -221,6 +243,7 @@ chunk_new_with_alloc_size(size_t alloc)
+   ch->datalen = 0;
+   ch->memlen = CHUNK_SIZE_WITH_ALLOC(alloc);
+   ch->data = &ch->mem[0];
+  CHUNK_SET_SENTINEL(ch, alloc);
+   return ch;
+ }
+ #endif
+@@ -231,11 +254,13 @@ static INLINE chunk_t *
+ chunk_grow(chunk_t *chunk, size_t sz)
+ {
+   off_t offset;
+  const size_t new_alloc = CHUNK_ALLOC_SIZE(sz);
+   tor_assert(sz > chunk->memlen);
+   offset = chunk->data - chunk->mem;
+-  chunk = tor_realloc(chunk, CHUNK_ALLOC_SIZE(sz));
+  chunk = tor_realloc(chunk, new_alloc);
+   chunk->memlen = sz;
+   chunk->data = chunk->mem + offset;
+  CHUNK_SET_SENTINEL(chunk, new_alloc);
+   return chunk;
+ }
+ 
+-- 
+2.7.4
+
--- a/debian/patches/update-authority-set
+++ b/debian/patches/update-authority-set
+diff --git a/src/or/config.c b/src/or/config.c
+index fde88ad..eae7296 100644
+--- a/src/or/config.c
+++ b/src/or/config.c
+@@ -794,16 +794,14 @@ add_default_trusted_dir_authorities(dirinfo_type_t type)
+       "86.59.21.38:80 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D",
+     "dizum orport=443 v3ident=E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58 "
+       "194.109.206.212:80 7EA6 EAD6 FD83 083C 538F 4403 8BBF A077 587D D755",
+-    "Tonga orport=443 bridge no-v2 82.94.251.203:80 "
+-      "4A0C CD2D DC79 9508 3D73 F5D6 6710 0C8A 5831 F16D",
+    "Bifroest orport=443 bridge no-v2 "
+      "37.218.247.217:80 1D8F 3A91 C37C 5D1C 4C19 B1AD 1D0C FBE8 BF72 D8E1",
+     "gabelmoo orport=443 no-v2 "
+       "v3ident=ED03BB616EB2F60BEC80151114BB25CEF515B226 "
+       "131.188.40.189:80 F204 4413 DAC2 E02E 3D6B CF47 35A1 9BCA 1DE9 7281",
+     "dannenberg orport=443 no-v2 "
+-      "v3ident=585769C78764D58426B8B52B6651A5A71137189A "
+      "v3ident=0232AF901C31A04EE9848595AF9BB7620D4C5B2E "
+       "193.23.244.244:80 7BE6 83E6 5D48 1413 21C5 ED92 F075 C553 64AC 7123",
+-    "urras orport=80 no-v2 v3ident=80550987E1D626E3EBA5E5E75A458DE0626D088C "
+-      "208.83.223.34:443 0AD3 FA88 4D18 F89E EA2D 89C0 1937 9E0E 7FD9 4417",
+     "maatuska orport=80 no-v2 "
+       "v3ident=49015F787433103580E3B66A1707A00E60F2D15B "
+       "171.25.193.9:443 BD6A 8292 55CB 08E6 6FBE 7D37 4836 3586 E46B 3810",