Commit 0ae9fd62 authored by Nick Mathewson's avatar Nick Mathewson 🏃
Browse files

Merge branch 'maint-0.3.5' into maint-0.4.4

parents 014345ed f57b5c48
Pipeline #7679 passed with stage
in 16 minutes and 49 seconds
o Major bugfixes (security, denial of service, onion services):
- Fix an out-of-bounds memory access in v3 descriptor parsing. Fixes bug
40392; bugfix on 0.3.0.1-alpha. This issue is also tracked as
TROVE-2021-006. Reported by Sergei Glazunov from Google's Project Zero.
\ No newline at end of file
...@@ -136,7 +136,7 @@ static token_rule_t hs_desc_superencrypted_v3_token_table[] = { ...@@ -136,7 +136,7 @@ static token_rule_t hs_desc_superencrypted_v3_token_table[] = {
/** Descriptor ruleset for the encrypted section. */ /** Descriptor ruleset for the encrypted section. */
static token_rule_t hs_desc_encrypted_v3_token_table[] = { static token_rule_t hs_desc_encrypted_v3_token_table[] = {
T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ), T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ), T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, GE(1), NO_OBJ),
T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ), T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
END_OF_TABLE END_OF_TABLE
}; };
...@@ -2321,6 +2321,7 @@ desc_decode_encrypted_v3(const hs_descriptor_t *desc, ...@@ -2321,6 +2321,7 @@ desc_decode_encrypted_v3(const hs_descriptor_t *desc,
/* Authentication type. It's optional but only once. */ /* Authentication type. It's optional but only once. */
tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED); tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED);
if (tok) { if (tok) {
tor_assert(tok->n_args >= 1);
if (!decode_auth_type(desc_encrypted_out, tok->args[0])) { if (!decode_auth_type(desc_encrypted_out, tok->args[0])) {
log_warn(LD_REND, "Service descriptor authentication type has " log_warn(LD_REND, "Service descriptor authentication type has "
"invalid entry(ies)."); "invalid entry(ies).");
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment