From: Roger Dingledine Date: Thu, 3 Sep 2009 00:36:11 +0000 (-0400) Subject: Fix obscure 64-bit big-endian hidserv bug X-Git-Tag: tor-0.2.2.2-alpha~31^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fcacf224913b3a0a08cef06a7241348f49b26e49;p=thirdparty%2Ftor.git Fix obscure 64-bit big-endian hidserv bug Fix an obscure bug where hidden services on 64-bit big-endian systems might mis-read the timestamp in v3 introduce cells, and refuse to connect back to the client. Discovered by "rotor". Bugfix on 0.2.1.6-alpha. --- diff --git a/ChangeLog b/ChangeLog index 3699dbc99d..1da6a97193 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,10 @@ Changes in version 0.2.1.20 - 2009-??-?? - Fix an extremely rare infinite recursion bug that could occur if we tried to log a message after shutting down the log subsystem. Found by Matt Edman. Bugfix on 0.2.0.16-alpha. + - Fix an obscure bug where hidden services on 64-bit big-endian + systems might mis-read the timestamp in v3 introduce cells, and + refuse to connect back to the client. Discovered by "rotor". + Bugfix on 0.2.1.6-alpha. - We were triggering a CLOCK_SKEW controller status event whenever we connect via the v2 connection protocol to any relay that has a wrong clock. Instead, we should only inform the controller when diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 7ba00993c4..3144ef2f04 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1011,13 +1011,12 @@ rend_service_introduce(origin_circuit_t *circuit, const char *request, } /* Check timestamp. */ - memcpy((char*)&ts, buf+1+v3_shift, sizeof(uint32_t)); + ts = ntohl(get_uint32(buf+1+v3_shift)); v3_shift += 4; - ts = ntohl((uint32_t)ts); if ((now - ts) < -1 * REND_REPLAY_TIME_INTERVAL / 2 || (now - ts) > REND_REPLAY_TIME_INTERVAL / 2) { log_warn(LD_REND, "INTRODUCE2 cell is too %s. Discarding.", - (now - ts) < 0 ? "old" : "new"); + (now - ts) < 0 ? "old" : "new"); return -1; } }