hs-v2: Remove any expiring intro from the retry list

TROVE-2017-13. Severity: High.

In the unlikely case that a hidden service could be missing intro circuit(s),
that it didn't have enough directory information to open new circuits and that
an intro point was about to expire, a use-after-free is possible because of
the intro point object being both in the retry list and expiring list at the
same time.

The intro object would get freed after the circuit failed to open and then
access a second time when cleaned up from the expiring list.

Fixes #24313

diff --git a/changes/bug24313 b/changes/bug24313
new file mode 100644 (file)
index 0000000..b927ec3
--- /dev/null
+++ b/changes/bug24313
@@ -0,0 +1,5 @@
+  o Major bugfixes (security, hidden service v2):
+    - Fix a use-after-free error that could crash v2 Tor hidden services
+      when it failed to open circuits while expiring introductions
+      points. Fixes bug 24313; bugfix on 0.2.7.2-alpha.  This
+      issue is also tracked as TROVE-2017-013 and CVE-2017-8823.

diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 0a5b5efd54be0c0ce50d2d7b8b750a45d626e6f3..cbf9981360019f7316161bf5a81cbe84d5ec104e 100644 (file)
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -3444,6 +3444,10 @@ remove_invalid_intro_points(rend_service_t *service,
       log_info(LD_REND, "Expiring %s as intro point for %s.",
                safe_str_client(extend_info_describe(intro->extend_info)),
                safe_str_client(service->service_id));
+      /* We might have put it in the retry list if so, undo. */
+      if (retry_nodes) {
+        smartlist_remove(retry_nodes, intro);
+      }
       smartlist_add(service->expiring_nodes, intro);
       SMARTLIST_DEL_CURRENT(service->intro_nodes, intro);
       /* Intro point is expired, we need a new one thus don't consider it