Fix detection of point to insert signatures on a pending consensus.

We were looking for the first instance of "directory-signature " when instead the correct behavior is to look for the first instance of "directory-signature " at the start of a line. Unfortunately, this can be exploited as to crash authorities while they're voting. Fixes #40316; bugfix on 0.2.2.4-alpha. This is TROVE-2021-002, also tracked as CVE-2021-28090.
author: Nick Mathewson <nickm@torproject.org> 2021-03-03 15:14:31 -0500
committer: Nick Mathewson <nickm@torproject.org> 2021-03-15 08:56:58 -0400
commit: 890ae4fb1adfa13e37aaf5261e089e8c195a75cf (patch)
tree: d033c449d75a45c1586239458530d96fe131cb1a /src/feature/dirauth/dirvote.c
parent: 296a557bfc5769617da53eee5a8670e2428ca458 (diff)
download: tor-890ae4fb1adfa13e37aaf5261e089e8c195a75cf.tar.gz
tor-890ae4fb1adfa13e37aaf5261e089e8c195a75cf.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/feature/dirauth/dirvote.c b/src/feature/dirauth/dirvote.c
index af8b3dc207..9e01cee42a 100644
--- a/src/feature/dirauth/dirvote.c
+++ b/src/feature/dirauth/dirvote.c
@@ -3520,7 +3520,7 @@ dirvote_add_signatures_to_pending_consensus(
       strlen(pc->body) + strlen(new_signatures) + 1;
     pc->body = tor_realloc(pc->body, new_consensus_len);
     dst_end = pc->body + new_consensus_len;
-    dst = strstr(pc->body, "directory-signature ");
+    dst = (char *) find_str_at_start_of_line(pc->body, "directory-signature ");
     tor_assert(dst);
     strlcpy(dst, new_signatures, dst_end-dst);
author	Nick Mathewson <nickm@torproject.org>	2021-03-03 15:14:31 -0500
committer	Nick Mathewson <nickm@torproject.org>	2021-03-15 08:56:58 -0400
commit	890ae4fb1adfa13e37aaf5261e089e8c195a75cf (patch)
tree	d033c449d75a45c1586239458530d96fe131cb1a /src/feature/dirauth/dirvote.c
parent	296a557bfc5769617da53eee5a8670e2428ca458 (diff)
download	tor-890ae4fb1adfa13e37aaf5261e089e8c195a75cf.tar.gz tor-890ae4fb1adfa13e37aaf5261e089e8c195a75cf.zip