diff options
| author | Nick Mathewson <nickm@torproject.org> | 2013-08-05 11:40:33 -0400 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2013-08-10 17:49:51 -0400 |
| commit | d5cfbf96a2dbbee4501da92d5a21d0c66732ae24 (patch) | |
| tree | 2a4983a697ac6dc5faf87b39460cb03edbbe5f88 /src/or/rendservice.c | |
| parent | 0a0f93d277046a524740ad110060abf8ed137b8f (diff) | |
| download | tor-d5cfbf96a2dbbee4501da92d5a21d0c66732ae24.tar.gz tor-d5cfbf96a2dbbee4501da92d5a21d0c66732ae24.zip | |
Fix an uninitialized-read when parsing v3 introduction requests.
Fortunately, later checks mean that uninitialized data can't get sent
to the network by this bug. Unfortunately, reading uninitialized heap
*can* (in some cases, with some allocators) cause a crash if you get
unlucky and go off the end of a page.
Found by asn. Bugfix on 0.2.4.1-alpha.
Diffstat (limited to 'src/or/rendservice.c')
| -rw-r--r-- | src/or/rendservice.c | 10 |
1 files changed, 2 insertions, 8 deletions
diff --git a/src/or/rendservice.c b/src/or/rendservice.c index a8f63ddf66..00bca17d46 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1898,8 +1898,8 @@ rend_service_parse_intro_for_v3( } } - /* Check that we actually have everything up to the timestamp */ - if (plaintext_len < (size_t)(ts_offset)) { + /* Check that we actually have everything up through the timestamp */ + if (plaintext_len < (size_t)(ts_offset)+4) { if (err_msg_out) { tor_asprintf(err_msg_out, "truncated plaintext of encrypted parted of " @@ -1923,12 +1923,6 @@ rend_service_parse_intro_for_v3( } /* - * Apparently we don't use the timestamp any more, but might as well copy - * over just in case we ever care about it. - */ - intro->u.v3.timestamp = ntohl(get_uint32(buf + ts_offset)); - - /* * From here on, the format is as in v2, so we call the v2 parser with * adjusted buffer and length. We are 4 + ts_offset octets in, but the * v2 parser expects to skip over a version byte at the start, so we |