summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2012-10-25 10:21:01 -0400
committerNick Mathewson <nickm@torproject.org>2012-10-25 10:21:01 -0400
commit48cdcc9d4ad12b7c57c8ac578db5961da27fde85 (patch)
treea9fd0982c3cad7b1cfc3dc2323b6ba1cbffb738c
parente4abac08a2ade5329594dcc220a02b3b680cb9e8 (diff)
parentc442d85439dd406c846e930dedcd8ed4c780d66e (diff)
downloadtor-48cdcc9d4ad12b7c57c8ac578db5961da27fde85.tar.gz
tor-48cdcc9d4ad12b7c57c8ac578db5961da27fde85.zip
Merge branch 'link_negotiation_assert_024'
Diffstat
-rw-r--r--changes/link_negotiation_assert6
-rw-r--r--src/or/channeltls.c9
2 files changed, 15 insertions, 0 deletions
diff --git a/changes/link_negotiation_assert b/changes/link_negotiation_assert
new file mode 100644
index 0000000000..398a545573
--- /dev/null
+++ b/changes/link_negotiation_assert
@@ -0,0 +1,6 @@
+ o Major bugfixs (security):
+ - Fix a group of remotely triggerable assertion failures related to
+ incorrect link protocol negotiation. Found, diagnosed, and fixed
+ by "some guy from France." Fix for CVE-2012-2250; bugfix on
+ 0.2.3.6-alpha.
+
diff --git a/src/or/channeltls.c b/src/or/channeltls.c
index 4e3c20ab71..d094d15af0 100644
--- a/src/or/channeltls.c
+++ b/src/or/channeltls.c
@@ -1229,6 +1229,15 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan)
"handshake. Closing connection.");
connection_or_close_for_error(chan->conn, 0);
return;
+ } else if (highest_supported_version != 2 &&
+ chan->conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V2) {
+ /* XXXX This should eventually be a log_protocol_warn */
+ log_fn(LOG_WARN, LD_OR,
+ "Negotiated link with non-2 protocol after doing a v2 TLS "
+ "handshake with %s. Closing connection.",
+ fmt_addr(&chan->conn->base_.addr));
+ connection_or_close_for_error(chan->conn, 0);
+ return;
}
chan->conn->link_proto = highest_supported_version;
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion