diff options
| author | David Goulet <dgoulet@torproject.org> | 2017-02-24 09:48:14 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2017-02-24 11:36:36 -0500 |
| commit | 4ed10e5053ebef31d5f922933f7236a6ab743bf9 (patch) | |
| tree | 82518acf73b115ce9b5ab54c54c2ae830d4bd250 /src/or/rendservice.c | |
| parent | 823fb68a14b551fc1f40e904428b3e31732441c5 (diff) | |
| download | tor-4ed10e5053ebef31d5f922933f7236a6ab743bf9.tar.gz tor-4ed10e5053ebef31d5f922933f7236a6ab743bf9.zip | |
hs: Fix bad use of sizeof() when encoding ESTABLISH_INTRO legacy cell
When encoding a legacy ESTABLISH_INTRO cell, we were using the sizeof() on a
pointer instead of using the real size of the destination buffer leading to an
overflow passing an enormous value to the signing digest function.
Fortunately, that value was only used to make sure the destination buffer
length was big enough for the key size and in this case it always was because
of the overflow.
Fixes #21553
Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/or/rendservice.c')
| -rw-r--r-- | src/or/rendservice.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 1d6fc0f96d..522f33e5bb 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -3174,8 +3174,9 @@ count_intro_point_circuits(const rend_service_t *service) of bytes written. On fail, return -1. */ STATIC ssize_t -encode_establish_intro_cell_legacy(char *cell_body_out, crypto_pk_t *intro_key, - char *rend_circ_nonce) +encode_establish_intro_cell_legacy(char *cell_body_out, + size_t cell_body_out_len, + crypto_pk_t *intro_key, char *rend_circ_nonce) { int retval = -1; int r; @@ -3202,7 +3203,7 @@ encode_establish_intro_cell_legacy(char *cell_body_out, crypto_pk_t *intro_key, len += 20; note_crypto_pk_op(REND_SERVER); r = crypto_pk_private_sign_digest(intro_key, cell_body_out+len, - sizeof(cell_body_out)-len, + cell_body_out_len - len, cell_body_out, len); if (r<0) { log_warn(LD_BUG, "Internal error: couldn't sign introduction request."); @@ -3313,8 +3314,9 @@ rend_service_intro_has_opened(origin_circuit_t *circuit) /* Send the ESTABLISH_INTRO cell */ { ssize_t len; - len = encode_establish_intro_cell_legacy(buf, circuit->intro_key, - circuit->cpath->prev->rend_circ_nonce); + len = encode_establish_intro_cell_legacy(buf, sizeof(buf), + circuit->intro_key, + circuit->cpath->prev->rend_circ_nonce); if (len < 0) { reason = END_CIRC_REASON_INTERNAL; goto err; |