Fix out-of-bounds read in INTRODUCE2 client auth

The length of auth_data from an INTRODUCE2 cell is checked when the auth_type is recognized (1 or 2), but not for any other non-zero auth_type. Later, auth_data is assumed to have at least REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds read. Fixed by checking auth_len before comparing the descriptor cookie against known clients. Fixes #15823; bugfix on 0.2.1.6-alpha.
author: John Brooks <john.brooks@dereferenced.net> 2015-04-25 22:52:35 -0600
committer: Nick Mathewson <nickm@torproject.org> 2015-05-05 15:05:32 -0400
commit: 2b27ce52d2b96a91410fbf8e9c6f2ce7cf036961 (patch)
tree: 1bc1f2fc39c8b65908c0b141d61bd8d059006e33 /changes/bug15823
parent: 6c7720ed49623f649aa6280606c129ee153b04ed (diff)
download: tor-2b27ce52d2b96a91410fbf8e9c6f2ce7cf036961.tar.gz
tor-2b27ce52d2b96a91410fbf8e9c6f2ce7cf036961.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/changes/bug15823 b/changes/bug15823
new file mode 100644
index 0000000000..987de5d9ac
--- /dev/null
+++ b/changes/bug15823
@@ -0,0 +1,4 @@
+  o Minor bugfixes (hidden service):
+    - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells
+      on a client authorized hidden service. Fixes bug 15823; bugfix
+      on 0.2.1.6-alpha.
author	John Brooks <john.brooks@dereferenced.net>	2015-04-25 22:52:35 -0600
committer	Nick Mathewson <nickm@torproject.org>	2015-05-05 15:05:32 -0400
commit	2b27ce52d2b96a91410fbf8e9c6f2ce7cf036961 (patch)
tree	1bc1f2fc39c8b65908c0b141d61bd8d059006e33 /changes/bug15823
parent	6c7720ed49623f649aa6280606c129ee153b04ed (diff)
download	tor-2b27ce52d2b96a91410fbf8e9c6f2ce7cf036961.tar.gz tor-2b27ce52d2b96a91410fbf8e9c6f2ce7cf036961.zip