John Brooks authored 9 years ago and Nick Mathewson committed 9 years ago

The length of auth_data from an INTRODUCE2 cell is checked when the
auth_type is recognized (1 or 2), but not for any other non-zero
auth_type. Later, auth_data is assumed to have at least
REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds
read.

Fixed by checking auth_len before comparing the descriptor cookie
against known clients.

Fixes #15823; bugfix on 0.2.1.6-alpha.

Fixes #15850, part of #15801. Change file is added by this commit. The
original comment in the reverted commit is removed because right now we
*need* a DirPort until #15849 is implemented so no doubt nor confusion there
anymore.

This reverts commit 80bed1ac.

Signed-off-by: David Goulet <dgoulet@ev0ke.net>

Yawning Angel authored 10 years ago and Nick Mathewson committed 9 years ago

In theory these should never the triggered as the only caller now
validates the parameters before this routine gets called.

Yawning Angel authored 10 years ago and Nick Mathewson committed 9 years ago

Found by DonnchaC.

Yawning Angel authored 10 years ago and Nick Mathewson committed 9 years ago

Fixes bug 15600; reported by skruffy

George Kadianakis authored 10 years ago and Nick Mathewson committed 10 years ago

(Sending a nak would be pointless.)

See ticket 15515 for discussion.

Yawning Angel authored 10 years ago and Nick Mathewson committed 10 years ago

The compiler is allowed to assume that a "uint64_t *" is aligned
correctly, and will inline a version of memcpy that acts as such.

Use "uint8_t *", so the compiler does the right thing.

For 15176; Shadow would like this.

Based on a patch by Rob Jansen, but revised to have a minimal-sized diff.