Loading changes/bug15823 0 → 100644 +4 −0 Original line number Diff line number Diff line o Minor bugfixes (hidden service): - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on a client authorized hidden service. Fixes bug 15823; bugfix on 0.2.1.6-alpha. src/or/rendservice.c +14 −4 Original line number Diff line number Diff line Loading @@ -1310,11 +1310,13 @@ rend_service_requires_uptime(rend_service_t *service) return 0; } /** Check client authorization of a given <b>descriptor_cookie</b> for * <b>service</b>. Return 1 for success and 0 for failure. */ /** Check client authorization of a given <b>descriptor_cookie</b> of * length <b>cookie_len</b> for <b>service</b>. Return 1 for success * and 0 for failure. */ static int rend_check_authorization(rend_service_t *service, const char *descriptor_cookie) const char *descriptor_cookie, size_t cookie_len) { rend_authorized_client_t *auth_client = NULL; tor_assert(service); Loading @@ -1325,6 +1327,13 @@ rend_check_authorization(rend_service_t *service, return 0; } if (cookie_len != REND_DESC_COOKIE_LEN) { log_info(LD_REND, "Descriptor cookie is %lu bytes, but we expected " "%lu bytes. Dropping cell.", (unsigned long)cookie_len, (unsigned long)REND_DESC_COOKIE_LEN); return 0; } /* Look up client authorization by descriptor cookie. */ SMARTLIST_FOREACH(service->clients, rend_authorized_client_t *, client, { if (tor_memeq(client->descriptor_cookie, descriptor_cookie, Loading Loading @@ -1672,7 +1681,8 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request, if (service->clients) { if (parsed_req->version == 3 && parsed_req->u.v3.auth_len > 0) { if (rend_check_authorization(service, (const char*)parsed_req->u.v3.auth_data)) { (const char*)parsed_req->u.v3.auth_data, parsed_req->u.v3.auth_len)) { log_info(LD_REND, "Authorization data in INTRODUCE2 cell are valid."); } else { log_info(LD_REND, "The authorization data that are contained in " Loading Loading
changes/bug15823 0 → 100644 +4 −0 Original line number Diff line number Diff line o Minor bugfixes (hidden service): - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on a client authorized hidden service. Fixes bug 15823; bugfix on 0.2.1.6-alpha.
src/or/rendservice.c +14 −4 Original line number Diff line number Diff line Loading @@ -1310,11 +1310,13 @@ rend_service_requires_uptime(rend_service_t *service) return 0; } /** Check client authorization of a given <b>descriptor_cookie</b> for * <b>service</b>. Return 1 for success and 0 for failure. */ /** Check client authorization of a given <b>descriptor_cookie</b> of * length <b>cookie_len</b> for <b>service</b>. Return 1 for success * and 0 for failure. */ static int rend_check_authorization(rend_service_t *service, const char *descriptor_cookie) const char *descriptor_cookie, size_t cookie_len) { rend_authorized_client_t *auth_client = NULL; tor_assert(service); Loading @@ -1325,6 +1327,13 @@ rend_check_authorization(rend_service_t *service, return 0; } if (cookie_len != REND_DESC_COOKIE_LEN) { log_info(LD_REND, "Descriptor cookie is %lu bytes, but we expected " "%lu bytes. Dropping cell.", (unsigned long)cookie_len, (unsigned long)REND_DESC_COOKIE_LEN); return 0; } /* Look up client authorization by descriptor cookie. */ SMARTLIST_FOREACH(service->clients, rend_authorized_client_t *, client, { if (tor_memeq(client->descriptor_cookie, descriptor_cookie, Loading Loading @@ -1672,7 +1681,8 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request, if (service->clients) { if (parsed_req->version == 3 && parsed_req->u.v3.auth_len > 0) { if (rend_check_authorization(service, (const char*)parsed_req->u.v3.auth_data)) { (const char*)parsed_req->u.v3.auth_data, parsed_req->u.v3.auth_len)) { log_info(LD_REND, "Authorization data in INTRODUCE2 cell are valid."); } else { log_info(LD_REND, "The authorization data that are contained in " Loading
