aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2021-06-10 12:30:11 -0400
committerNick Mathewson <nickm@torproject.org>2021-06-10 12:30:11 -0400
commit0ae9fd62fdc5ffd41bf5bbf2f4a3c1e2a151fa2d (patch)
tree901a1540561a81fc8baade6b3b8dd6128b65eb66
parent014345ed6abca3305fcbdea3b75a23adc3976926 (diff)
parentf57b5c48e0aa01acd84a194fe4657a0d1cee04cf (diff)
downloadtor-0ae9fd62fdc5ffd41bf5bbf2f4a3c1e2a151fa2d.tar.gz
tor-0ae9fd62fdc5ffd41bf5bbf2f4a3c1e2a151fa2d.zip
Merge branch 'maint-0.3.5' into maint-0.4.4
-rw-r--r--changes/bug403924
-rw-r--r--src/feature/hs/hs_descriptor.c3
2 files changed, 6 insertions, 1 deletions
diff --git a/changes/bug40392 b/changes/bug40392
new file mode 100644
index 0000000000..4dffa50bb2
--- /dev/null
+++ b/changes/bug40392
@@ -0,0 +1,4 @@
+ o Major bugfixes (security, denial of service, onion services):
+ - Fix an out-of-bounds memory access in v3 descriptor parsing. Fixes bug
+ 40392; bugfix on 0.3.0.1-alpha. This issue is also tracked as
+ TROVE-2021-006. Reported by Sergei Glazunov from Google's Project Zero. \ No newline at end of file
diff --git a/src/feature/hs/hs_descriptor.c b/src/feature/hs/hs_descriptor.c
index 50a46fb40f..c1e6553398 100644
--- a/src/feature/hs/hs_descriptor.c
+++ b/src/feature/hs/hs_descriptor.c
@@ -136,7 +136,7 @@ static token_rule_t hs_desc_superencrypted_v3_token_table[] = {
/** Descriptor ruleset for the encrypted section. */
static token_rule_t hs_desc_encrypted_v3_token_table[] = {
T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
- T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ),
+ T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, GE(1), NO_OBJ),
T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
END_OF_TABLE
};
@@ -2321,6 +2321,7 @@ desc_decode_encrypted_v3(const hs_descriptor_t *desc,
/* Authentication type. It's optional but only once. */
tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED);
if (tok) {
+ tor_assert(tok->n_args >= 1);
if (!decode_auth_type(desc_encrypted_out, tok->args[0])) {
log_warn(LD_REND, "Service descriptor authentication type has "
"invalid entry(ies).");