From d5cfbf96a2dbbee4501da92d5a21d0c66732ae24 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 5 Aug 2013 11:40:33 -0400 Subject: Fix an uninitialized-read when parsing v3 introduction requests. Fortunately, later checks mean that uninitialized data can't get sent to the network by this bug. Unfortunately, reading uninitialized heap *can* (in some cases, with some allocators) cause a crash if you get unlucky and go off the end of a page. Found by asn. Bugfix on 0.2.4.1-alpha. --- src/or/rendservice.c | 10 ++-------- src/or/rendservice.h | 2 -- 2 files changed, 2 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/or/rendservice.c b/src/or/rendservice.c index a8f63ddf66..00bca17d46 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1898,8 +1898,8 @@ rend_service_parse_intro_for_v3( } } - /* Check that we actually have everything up to the timestamp */ - if (plaintext_len < (size_t)(ts_offset)) { + /* Check that we actually have everything up through the timestamp */ + if (plaintext_len < (size_t)(ts_offset)+4) { if (err_msg_out) { tor_asprintf(err_msg_out, "truncated plaintext of encrypted parted of " @@ -1922,12 +1922,6 @@ rend_service_parse_intro_for_v3( memcpy(intro->u.v3.auth_data, buf + 4, intro->u.v3.auth_len); } - /* - * Apparently we don't use the timestamp any more, but might as well copy - * over just in case we ever care about it. - */ - intro->u.v3.timestamp = ntohl(get_uint32(buf + ts_offset)); - /* * From here on, the format is as in v2, so we call the v2 parser with * adjusted buffer and length. We are 4 + ts_offset octets in, but the diff --git a/src/or/rendservice.h b/src/or/rendservice.h index ff31ba6edb..caf88a3d64 100644 --- a/src/or/rendservice.h +++ b/src/or/rendservice.h @@ -56,8 +56,6 @@ struct rend_intro_cell_s { uint16_t auth_len; /* Auth data */ uint8_t *auth_data; - /* timestamp */ - uint32_t timestamp; /* Rendezvous point's IP address/port, identity digest and onion key */ extend_info_t *extend_info; } v3; -- cgit v1.2.3-54-g00ecf