Fix out-of-bounds read in INTRODUCE2 client auth

The length of auth_data from an INTRODUCE2 cell is checked when the auth_type is recognized (1 or 2), but not for any other non-zero auth_type. Later, auth_data is assumed to have at least REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds read. Fixed by checking auth_len before comparing the descriptor cookie against known clients. Fixes #15823; bugfix on 0.2.1.6-alpha.
author: John Brooks <john.brooks@dereferenced.net> 2015-04-25 22:52:35 -0600
committer: Nick Mathewson <nickm@torproject.org> 2017-02-07 08:31:37 -0500
commit: 053e11f397f3f890c52a1add6aa4e75a9178eba0 (patch)
tree: 686f329f0d76239a414ce800c3921b2cd280eb52 /changes/bug15823
parent: 3833f67dd2dc35dbcfe1d5659c885f0b5f54125b (diff)
download: tor-053e11f397f3f890c52a1add6aa4e75a9178eba0.tar.gz
tor-053e11f397f3f890c52a1add6aa4e75a9178eba0.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/changes/bug15823 b/changes/bug15823
new file mode 100644
index 0000000000..987de5d9ac
--- /dev/null
+++ b/changes/bug15823
@@ -0,0 +1,4 @@
+  o Minor bugfixes (hidden service):
+    - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells
+      on a client authorized hidden service. Fixes bug 15823; bugfix
+      on 0.2.1.6-alpha.
author	John Brooks <john.brooks@dereferenced.net>	2015-04-25 22:52:35 -0600
committer	Nick Mathewson <nickm@torproject.org>	2017-02-07 08:31:37 -0500
commit	053e11f397f3f890c52a1add6aa4e75a9178eba0 (patch)
tree	686f329f0d76239a414ce800c3921b2cd280eb52 /changes/bug15823
parent	3833f67dd2dc35dbcfe1d5659c885f0b5f54125b (diff)
download	tor-053e11f397f3f890c52a1add6aa4e75a9178eba0.tar.gz tor-053e11f397f3f890c52a1add6aa4e75a9178eba0.zip