Check for small payload_len when parsing extend cells.

Without this code, if V1 relay cell format were in use, and the relay message
length were set to 0 or 1, then an EXTEND cell could be read beyond the end of
the relay cell payload.  This could extend beyond the underlying cell body if
the V1 relay cell format had been negotiated.  This would typically lead either
to a crash or to a rejected circuit.

Closes bug 41180; bugfix on 0.4.9.3-alpha, when we made the made the maximum
size of a relay payload variable.

0.4.8.x and earlier can similarly mis-handle low payload values, but the
bug there cannot be used to read uninitialized data.

diff --git a/changes/bug41180 b/changes/bug41180
new file mode 100644 (file)
index 0000000..5448b6f
--- /dev/null
+++ b/changes/bug41180
@@ -0,0 +1,5 @@
+  o Major bugfixes (security):
+    - Avoid an out-of-bounds read error that could occur with
+      V1-formatted cells on Tor 0.4.9.3-alpha or later.
+      Fixes bug 41180; bugfix on 0.4.9.3-alpha.
+      This is tracked as TROVE-2025-016.

diff --git a/src/core/or/onion.c b/src/core/or/onion.c
index 0bdd2a6d35bfe378a5534489da328bbd2145bc8d..6234bfe7297db12a8c54d6acb849c36416a67abf 100644 (file)
--- a/src/core/or/onion.c
+++ b/src/core/or/onion.c
@@ -488,6 +488,10 @@ extended_cell_parse(extended_cell_t *cell_out,
     break;
   case RELAY_COMMAND_EXTENDED2:
     {
+      if (payload_len < 2) {
+        // Prevent underflow below.
+        return -1;
+      }
       cell_out->cell_type = RELAY_COMMAND_EXTENDED2;
       cell_out->created_cell.cell_type = CELL_CREATED2;
       cell_out->created_cell.handshake_len = ntohs(get_uint16(payload));