From 053e11f397f3f890c52a1add6aa4e75a9178eba0 Mon Sep 17 00:00:00 2001
From: John Brooks <john.brooks@dereferenced.net>
Date: Sat, 25 Apr 2015 22:52:35 -0600
Subject: Fix out-of-bounds read in INTRODUCE2 client auth

The length of auth_data from an INTRODUCE2 cell is checked when the
auth_type is recognized (1 or 2), but not for any other non-zero
auth_type. Later, auth_data is assumed to have at least
REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds
read.

Fixed by checking auth_len before comparing the descriptor cookie
against known clients.

Fixes #15823; bugfix on 0.2.1.6-alpha.
---
 changes/bug15823 | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 changes/bug15823

(limited to 'changes/bug15823')

diff --git a/changes/bug15823 b/changes/bug15823
new file mode 100644
index 0000000000..987de5d9ac
--- /dev/null
+++ b/changes/bug15823
@@ -0,0 +1,4 @@
+  o Minor bugfixes (hidden service):
+    - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells
+      on a client authorized hidden service. Fixes bug 15823; bugfix
+      on 0.2.1.6-alpha.
-- 
cgit v1.2.3-54-g00ecf