summaryrefslogtreecommitdiff
path: root/src/or/channeltls.c
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2012-10-23 23:04:35 -0400
committerNick Mathewson <nickm@torproject.org>2012-10-23 23:09:21 -0400
commitc442d85439dd406c846e930dedcd8ed4c780d66e (patch)
tree9d0bcd8a231e2ad0dc10c07601715d5e462e46a2 /src/or/channeltls.c
parent3d825d22c3d20f03b34cbe4d9e8874a816e45c4a (diff)
downloadtor-c442d85439dd406c846e930dedcd8ed4c780d66e.tar.gz
tor-c442d85439dd406c846e930dedcd8ed4c780d66e.zip
Fix a remotely triggerable assertion failure (CVE-2012-2250)
If we completed the handshake for the v2 link protocol but wound up negotiating the wong protocol version, we'd become so confused about what part of the handshake we were in that we'd promptly die with an assertion. This is a fix for CVE-2012-2250; it's a bugfix on 0.2.3.6-alpha. All servers running that version or later should really upgrade. Bug and fix from "some guy from France." I tweaked his code slightly to make it log the IP of the offending node, and to forward-port it to 0.2.4.
Diffstat (limited to 'src/or/channeltls.c')
-rw-r--r--src/or/channeltls.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/or/channeltls.c b/src/or/channeltls.c
index 4e3c20ab71..d094d15af0 100644
--- a/src/or/channeltls.c
+++ b/src/or/channeltls.c
@@ -1229,6 +1229,15 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan)
"handshake. Closing connection.");
connection_or_close_for_error(chan->conn, 0);
return;
+ } else if (highest_supported_version != 2 &&
+ chan->conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V2) {
+ /* XXXX This should eventually be a log_protocol_warn */
+ log_fn(LOG_WARN, LD_OR,
+ "Negotiated link with non-2 protocol after doing a v2 TLS "
+ "handshake with %s. Closing connection.",
+ fmt_addr(&chan->conn->base_.addr));
+ connection_or_close_for_error(chan->conn, 0);
+ return;
}
chan->conn->link_proto = highest_supported_version;