hs_pow: fix insufficient length check in pow-params

The descriptor validation table had an out of date minimum length
for pow-params (3) whereas the spec and the current code expect at
least 4 parameters. This was an opportunity for a malicious service
to cause an assert failure in clients which attempted to parse its
descriptor.

Addresses issue #40793

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>

diff --git a/src/feature/hs/hs_descriptor.c b/src/feature/hs/hs_descriptor.c
index d07f900e3a5058f9b191d732b1d814880fde33f0..7b519e4c78cd946b55dcc43e671b5767a5e74e58 100644 (file)
--- a/src/feature/hs/hs_descriptor.c
+++ b/src/feature/hs/hs_descriptor.c
@@ -155,7 +155,7 @@ static token_rule_t hs_desc_encrypted_v3_token_table[] = {
   T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, GE(1), NO_OBJ),
   T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
   T01(str_flow_control, R3_FLOW_CONTROL, GE(2), NO_OBJ),
-  T01(str_pow_params, R3_POW_PARAMS, GE(3), NO_OBJ),
+  T01(str_pow_params, R3_POW_PARAMS, GE(4), NO_OBJ),
   END_OF_TABLE
 };