diff options
| author | Nick Mathewson <nickm@torproject.org> | 2011-11-07 10:42:34 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2011-11-07 10:42:34 -0500 |
| commit | 4d8306e0e92200e1a25a073480ec342e22e590b7 (patch) | |
| tree | 99a6c58be97590745be1ce4c7b1e5fa2e6afb302 | |
| parent | 972564630e8f85499e611f1eeb7174d0c0230731 (diff) | |
| parent | be6928d6e78a47800a96962403efff753ad70e84 (diff) | |
| download | tor-4d8306e0e92200e1a25a073480ec342e22e590b7.tar.gz tor-4d8306e0e92200e1a25a073480ec342e22e590b7.zip | |
Merge remote-tracking branch 'origin/maint-0.2.1' into maint-0.2.2
| -rw-r--r-- | changes/bug4410 | 5 | ||||
| -rw-r--r-- | src/or/routerparse.c | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/changes/bug4410 b/changes/bug4410 new file mode 100644 index 0000000000..f42893adf4 --- /dev/null +++ b/changes/bug4410 @@ -0,0 +1,5 @@ + o Major bugfixes: + - Correctly sanity-check that we don't underflow on a memory allocation + for introduction point decryption. Bug discovered by Dan Rosenberg. + Fixes bug 4410; bugfix on 0.2.1.5-alpha. + diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 001c4d6c7f..322a2b5713 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4874,6 +4874,11 @@ rend_decrypt_introduction_points(char **ipos_decrypted, crypto_cipher_env_t *cipher; char *dec; int declen; + if (ipos_encrypted_size < CIPHER_IV_LEN + 2) { + log_warn(LD_REND, "Size of encrypted introduction points is too " + "small."); + return -1; + } dec = tor_malloc_zero(ipos_encrypted_size - CIPHER_IV_LEN - 1); cipher = crypto_create_init_cipher(descriptor_cookie, 0); declen = crypto_cipher_decrypt_with_iv(cipher, dec, |