diff options
| author | Roger Dingledine <arma@torproject.org> | 2013-08-10 18:00:47 -0400 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2013-08-10 18:00:47 -0400 |
| commit | 42335972d5f73c18b59459201d80f4e769cc2a5b (patch) | |
| tree | b9fcedbc2b8dca0c97543249f993e957d87464b4 | |
| parent | a2ea9df49895f45fd9fcc6a4526769be935bf330 (diff) | |
| parent | d5cfbf96a2dbbee4501da92d5a21d0c66732ae24 (diff) | |
| download | tor-42335972d5f73c18b59459201d80f4e769cc2a5b.tar.gz tor-42335972d5f73c18b59459201d80f4e769cc2a5b.zip | |
Merge branch 'maint-0.2.4' into release-0.2.4
| -rw-r--r-- | changes/v3_intro_len | 8 | ||||
| -rw-r--r-- | src/or/rendservice.c | 10 | ||||
| -rw-r--r-- | src/or/rendservice.h | 2 |
3 files changed, 10 insertions, 10 deletions
diff --git a/changes/v3_intro_len b/changes/v3_intro_len new file mode 100644 index 0000000000..fbe39bce3b --- /dev/null +++ b/changes/v3_intro_len @@ -0,0 +1,8 @@ + o Major bugfixes: + + - Fix an uninitialized read that could (in some cases) lead to a remote + crash while parsing INTRODUCE 1 cells. (This is, so far as we know, + unrelated to the recent news.) Fixes bug XXX; bugfix on + 0.2.4.1-alpha. Anybody running a hidden service on the experimental + 0.2.4.x branch should upgrade. + diff --git a/src/or/rendservice.c b/src/or/rendservice.c index a8f63ddf66..00bca17d46 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1898,8 +1898,8 @@ rend_service_parse_intro_for_v3( } } - /* Check that we actually have everything up to the timestamp */ - if (plaintext_len < (size_t)(ts_offset)) { + /* Check that we actually have everything up through the timestamp */ + if (plaintext_len < (size_t)(ts_offset)+4) { if (err_msg_out) { tor_asprintf(err_msg_out, "truncated plaintext of encrypted parted of " @@ -1923,12 +1923,6 @@ rend_service_parse_intro_for_v3( } /* - * Apparently we don't use the timestamp any more, but might as well copy - * over just in case we ever care about it. - */ - intro->u.v3.timestamp = ntohl(get_uint32(buf + ts_offset)); - - /* * From here on, the format is as in v2, so we call the v2 parser with * adjusted buffer and length. We are 4 + ts_offset octets in, but the * v2 parser expects to skip over a version byte at the start, so we diff --git a/src/or/rendservice.h b/src/or/rendservice.h index ff31ba6edb..caf88a3d64 100644 --- a/src/or/rendservice.h +++ b/src/or/rendservice.h @@ -56,8 +56,6 @@ struct rend_intro_cell_s { uint16_t auth_len; /* Auth data */ uint8_t *auth_data; - /* timestamp */ - uint32_t timestamp; /* Rendezvous point's IP address/port, identity digest and onion key */ extend_info_t *extend_info; } v3; |