Assertion failure in client in rend_decrypt_introduction_points()
It appears to be possible to remotely trigger an assertion failure in the client when it's parsing directory authority responses.
If a client receives a response with purpose DIR_PURPOSE_FETCH_RENDDESC_V2, it calls rend_cache_store_v2_desc_as_client() (in or/rendcommon.c), which immediately calls rend_parse_v2_service_descriptor() (in or/routerparse.c) to parse the descriptor. This will parse the descriptor and pull out the encrypted introduction points without validation on contents or size (to be performed later).
Then, back in rend_cache_store_v2_desc_as_client(), rend_decrypt_introduction_points() (in or/routerparse.c) is called. This function verifies the size of the encrypted introduction isn't less than 2. If the type is REND_STEALTH_AUTH, the following is immediately called:
dec = tor_malloc_zero(ipos_encrypted_size - CIPHER_IV_LEN - 1);If the size is less than CIPHER_IV_LEN, this will underflow and the allocation attempt on a huge size will trigger an assertion failure.
Trac:
Username: drosenbe