diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-06-10 11:11:47 -0400 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2014-07-24 19:45:38 -0400 |
| commit | 1b551823de6e6c03cf86bcbb7ca1b687c5f16ea6 (patch) | |
| tree | 253f53f9dd128a9fcd7eb60d030744fd87450c6e /changes/bug12227 | |
| parent | 71c62b15ca809105cbba0bf2fa86484793701b64 (diff) | |
| download | tor-1b551823de6e6c03cf86bcbb7ca1b687c5f16ea6.tar.gz tor-1b551823de6e6c03cf86bcbb7ca1b687c5f16ea6.zip | |
Avoid illegal read off end of an array in prune_v2_cipher_list
This function is supposed to construct a list of all the ciphers in
the "v2 link protocol cipher list" that are supported by Tor's
openssl. It does this by invoking ssl23_get_cipher_by_char on each
two-byte ciphersuite ID to see which ones give a match. But when
ssl23_get_cipher_by_char cannot find a match for a two-byte SSL3/TLS
ciphersuite ID, it checks to see whether it has a match for a
three-byte SSL2 ciphersuite ID. This was causing a read off the end
of the 'cipherid' array.
This was probably harmless in practice, but we shouldn't be having
any uninitialized reads.
(Using ssl23_get_cipher_by_char in this way is a kludge, but then
again the entire existence of the v2 link protocol is kind of a
kludge. Once Tor 0.2.2 clients are all gone, we can drop this code
entirely.)
Found by starlight. Fix on 0.2.4.8-alpha. Fixes bug 12227.
Diffstat (limited to 'changes/bug12227')
| -rw-r--r-- | changes/bug12227 | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/changes/bug12227 b/changes/bug12227 new file mode 100644 index 0000000000..d8b5d08a55 --- /dev/null +++ b/changes/bug12227 @@ -0,0 +1,5 @@ + o Minor bugfixes: + - Avoid an illegal read from stack when initializing the TLS + module using a version of OpenSSL without all of the ciphers + used by the v2 link handshake. Fixes bug 12227; bugfix on + 0.2.4.8-alpha. Found by "starlight". |