Fix out-of-bounds read in INTRODUCE2 client auth - tor - Transit encryption and privacy out of the box

diff options

author	John Brooks <john.brooks@dereferenced.net>	2015-04-25 22:52:35 -0600
committer	Nick Mathewson <nickm@torproject.org>	2017-02-07 08:31:37 -0500
commit	053e11f397f3f890c52a1add6aa4e75a9178eba0 (patch)
tree	686f329f0d76239a414ce800c3921b2cd280eb52 /src/or/routerset.c
parent	3833f67dd2dc35dbcfe1d5659c885f0b5f54125b (diff)
download	tor-053e11f397f3f890c52a1add6aa4e75a9178eba0.tar.gz tor-053e11f397f3f890c52a1add6aa4e75a9178eba0.zip

Fix out-of-bounds read in INTRODUCE2 client auth

The length of auth_data from an INTRODUCE2 cell is checked when the auth_type is recognized (1 or 2), but not for any other non-zero auth_type. Later, auth_data is assumed to have at least REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds read. Fixed by checking auth_len before comparing the descriptor cookie against known clients. Fixes #15823; bugfix on 0.2.1.6-alpha.

Diffstat (limited to 'src/or/routerset.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: