Commit c442d854 authored Oct 23, 2012 by Nick Mathewson

Fix a remotely triggerable assertion failure (CVE-2012-2250)

If we completed the handshake for the v2 link protocol but wound up
negotiating the wong protocol version, we'd become so confused about
what part of the handshake we were in that we'd promptly die with an
assertion.

This is a fix for CVE-2012-2250; it's a bugfix on 0.2.3.6-alpha.
All servers running that version or later should really upgrade.

Bug and fix from "some guy from France."  I tweaked his code slightly
to make it log the IP of the offending node, and to forward-port it to
0.2.4.

parent 3d825d22

changes/link_negotiation_assert

0 → 100644

+6 −0

Original line number	Diff line number	Diff line
		o Major bugfixs (security):
		- Fix a group of remotely triggerable assertion failures related to
		incorrect link protocol negotiation. Found, diagnosed, and fixed
		by "some guy from France." Fix for CVE-2012-2250; bugfix on
		0.2.3.6-alpha.

src/or/channeltls.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -1229,6 +1229,15 @@ channel_tls_process_versions_cell(var_cell_t cell, channel_tls_t chan)
		"handshake. Closing connection.");
		connection_or_close_for_error(chan->conn, 0);
		return;
		} else if (highest_supported_version != 2 &&
		chan->conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V2) {
		/* XXXX This should eventually be a log_protocol_warn */
		log_fn(LOG_WARN, LD_OR,
		"Negotiated link with non-2 protocol after doing a v2 TLS "
		"handshake with %s. Closing connection.",
		fmt_addr(&chan->conn->base_.addr));
		connection_or_close_for_error(chan->conn, 0);
		return;
		}

		chan->conn->link_proto = highest_supported_version;