diff options
| author | Robert Ransom <rransom.8774@gmail.com> | 2012-09-13 07:39:39 -0400 |
|---|---|---|
| committer | Robert Ransom <rransom.8774@gmail.com> | 2012-09-13 07:48:21 -0400 |
| commit | 0a6480cdd00fbed2eba0e5bab6ef82bc809c665b (patch) | |
| tree | 9e4ba0a8f26be20baa70e393132358905f077b2d | |
| parent | 45439bfced7f41c2e0beecb715880cb83d421618 (diff) | |
| download | tor-0a6480cdd00fbed2eba0e5bab6ef82bc809c665b.tar.gz tor-0a6480cdd00fbed2eba0e5bab6ef82bc809c665b.zip | |
Avoid undefined behaviour when parsing HS protocol versions
Fixes bug 6827; bugfix on c58675ca728f12b42f65e5b8964ae695c2e0ec2d
(when the v2 HS desc parser was implemented).
Found by asn.
| -rw-r--r-- | changes/bug6827 | 8 | ||||
| -rw-r--r-- | src/or/or.h | 7 | ||||
| -rw-r--r-- | src/or/routerparse.c | 3 |
3 files changed, 16 insertions, 2 deletions
diff --git a/changes/bug6827 b/changes/bug6827 new file mode 100644 index 0000000000..799c459658 --- /dev/null +++ b/changes/bug6827 @@ -0,0 +1,8 @@ + o Minor bugfixes: + + - Avoid undefined behaviour when parsing the list of supported + rendezvous/introduction protocols in a hidden service + descriptor. Previously, Tor would have confused (as-yet-unused) + protocol version numbers greater than 32 with lower ones on many + platforms. Bugfix on 0.2.0.10-alpha; found by George Kadianakis. + diff --git a/src/or/or.h b/src/or/or.h index 9074083a04..51c23d305d 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -4279,14 +4279,17 @@ typedef struct rend_intro_point_t { time_t time_expiring; } rend_intro_point_t; +#define REND_PROTOCOL_VERSION_BITMASK_WIDTH 16 + /** Information used to connect to a hidden service. Used on both the * service side and the client side. */ typedef struct rend_service_descriptor_t { crypto_pk_t *pk; /**< This service's public key. */ int version; /**< Version of the descriptor format: 0 or 2. */ time_t timestamp; /**< Time when the descriptor was generated. */ - uint16_t protocols; /**< Bitmask: which rendezvous protocols are supported? - * (We allow bits '0', '1', and '2' to be set.) */ + /** Bitmask: which rendezvous protocols are supported? + * (We allow bits '0', '1', and '2' to be set.) */ + int protocols : REND_PROTOCOL_VERSION_BITMASK_WIDTH; /** List of the service's introduction points. Elements are removed if * introduction attempts fail. */ smartlist_t *intro_nodes; diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 60a2eae75f..2bf072b3cf 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4823,6 +4823,9 @@ rend_parse_v2_service_descriptor(rend_service_descriptor_t **parsed_out, 10, 0, INT_MAX, &num_ok, NULL); if (!num_ok) /* It's a string; let's ignore it. */ continue; + if (version >= REND_PROTOCOL_VERSION_BITMASK_WIDTH) + /* Avoid undefined left-shift behaviour. */ + continue; result->protocols |= 1 << version; } SMARTLIST_FOREACH(versions, char *, cp, tor_free(cp)); |