Validate the RSA key size received when parsing INTRODUCE2 cells.

author Yawning Angel <yawning@schwanenlied.me>

Mon, 30 Mar 2015 21:53:39 +0000 (21:53 +0000)

committer Nick Mathewson <nickm@torproject.org>

Mon, 6 Apr 2015 13:18:17 +0000 (09:18 -0400)
author Yawning Angel <yawning@schwanenlied.me>
Mon, 30 Mar 2015 21:53:39 +0000 (21:53 +0000)
committer Nick Mathewson <nickm@torproject.org>
Mon, 6 Apr 2015 13:18:17 +0000 (09:18 -0400)
diff --git a/changes/bug15600 b/changes/bug15600

new file mode 100644 (file)

index 0000000..ee1d6cf
--- /dev/null
+++ b/changes/bug15600
@@ -0,0 +1,5 @@
+  o Major bugfixes (security, hidden service):
+    - Fix an issue that would allow a malicious client to trigger
+      an assertion failure and halt a hidden service. Fixes
+      bug 15600; bugfix on 0.2.1.6-alpha. Reported by "skruffy".
+
diff --git a/src/or/rendservice.c b/src/or/rendservice.c

index 8a4a11e475bc22df6c7aa27400f418a734137a7c..436f2f4b698263ed07b6f0af789cbd5e9af2a3bf 100644 (file)
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -1810,6 +1810,16 @@ rend_service_parse_intro_for_v2(
  
      goto err;
    }
+  if (128 != crypto_pk_keysize(extend_info->onion_key)) {
+    if (err_msg_out) {
+      tor_asprintf(err_msg_out,
+                   "invalid onion key size in version %d INTRODUCE%d cell",
+                   intro->version,
+                   (intro->type));
+    }
+
+    goto err;
+  }
  
    ver_specific_len = 7+DIGEST_LEN+2+klen;
author	Yawning Angel <yawning@schwanenlied.me>
	Mon, 30 Mar 2015 21:53:39 +0000 (21:53 +0000)
committer	Nick Mathewson <nickm@torproject.org>
	Mon, 6 Apr 2015 13:18:17 +0000 (09:18 -0400)
changes/bug15600	[new file with mode: 0644]	patch \| blob
src/or/rendservice.c		patch \| blob \| blame \| history