diff options
| author | Yawning Angel <yawning@schwanenlied.me> | 2015-03-30 21:53:39 +0000 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2015-04-06 09:18:17 -0400 |
| commit | 49ddd92c115c6943c4602d44f52c22b6f47698e8 (patch) | |
| tree | 33793b0f5a5019eff42df48aca430a7fe96bc259 | |
| parent | 01e4bc80cd75bbf2a4ce3b18ff17550eed993bb0 (diff) | |
| download | tor-49ddd92c115c6943c4602d44f52c22b6f47698e8.tar.gz tor-49ddd92c115c6943c4602d44f52c22b6f47698e8.zip | |
Validate the RSA key size received when parsing INTRODUCE2 cells.
Fixes bug 15600; reported by skruffy
| -rw-r--r-- | changes/bug15600 | 5 | ||||
| -rw-r--r-- | src/or/rendservice.c | 10 |
2 files changed, 15 insertions, 0 deletions
diff --git a/changes/bug15600 b/changes/bug15600 new file mode 100644 index 0000000000..ee1d6cfe19 --- /dev/null +++ b/changes/bug15600 @@ -0,0 +1,5 @@ + o Major bugfixes (security, hidden service): + - Fix an issue that would allow a malicious client to trigger + an assertion failure and halt a hidden service. Fixes + bug 15600; bugfix on 0.2.1.6-alpha. Reported by "skruffy". + diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 8a4a11e475..436f2f4b69 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1810,6 +1810,16 @@ rend_service_parse_intro_for_v2( goto err; } + if (128 != crypto_pk_keysize(extend_info->onion_key)) { + if (err_msg_out) { + tor_asprintf(err_msg_out, + "invalid onion key size in version %d INTRODUCE%d cell", + intro->version, + (intro->type)); + } + + goto err; + } ver_specific_len = 7+DIGEST_LEN+2+klen; |