From: Yawning Angel <yawning@schwanenlied.me>
Date: Mon, 30 Mar 2015 21:53:39 +0000 (+0000)
Subject: Validate the RSA key size received when parsing INTRODUCE2 cells.
X-Git-Tag: tor-0.2.4.27~2^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49ddd92c115c6943c4602d44f52c22b6f47698e8;p=thirdparty%2Ftor.git

Validate the RSA key size received when parsing INTRODUCE2 cells.

Fixes bug 15600; reported by skruffy
---

diff --git a/changes/bug15600 b/changes/bug15600
new file mode 100644
index 0000000000..ee1d6cfe19
--- /dev/null
+++ b/changes/bug15600
@@ -0,0 +1,5 @@
+  o Major bugfixes (security, hidden service):
+    - Fix an issue that would allow a malicious client to trigger
+      an assertion failure and halt a hidden service. Fixes
+      bug 15600; bugfix on 0.2.1.6-alpha. Reported by "skruffy".
+
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 8a4a11e475..436f2f4b69 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -1810,6 +1810,16 @@ rend_service_parse_intro_for_v2(
 
     goto err;
   }
+  if (128 != crypto_pk_keysize(extend_info->onion_key)) {
+    if (err_msg_out) {
+      tor_asprintf(err_msg_out,
+                   "invalid onion key size in version %d INTRODUCE%d cell",
+                   intro->version,
+                   (intro->type));
+    }
+
+    goto err;
+  }
 
   ver_specific_len = 7+DIGEST_LEN+2+klen;