[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #4410 [Tor Client]: Remote assertion failure in client



#4410: Remote assertion failure in client
------------------------+---------------------------------------------------
 Reporter:  drosenbe    |          Owner:                  
     Type:  defect      |         Status:  new             
 Priority:  normal      |      Milestone:                  
Component:  Tor Client  |        Version:  Tor: unspecified
 Keywords:              |         Parent:                  
   Points:              |   Actualpoints:                  
------------------------+---------------------------------------------------
 It appears to be possible to remotely trigger an assertion failure in the
 client when it's parsing directory authority responses.

 If a client receives a response with purpose
 DIR_PURPOSE_FETCH_RENDDESC_V2, it calls
 rend_cache_store_v2_desc_as_client() (in or/rendcommon.c), which
 immediately calls rend_parse_v2_service_descriptor() (in or/routerparse.c)
 to parse the descriptor.  This will parse the descriptor and pull out the
 encrypted introduction points without validation on contents or size (to
 be performed later).

 Then, back in rend_cache_store_v2_desc_as_client(),
 rend_decrypt_introduction_points() (in or/routerparse.c) is called.  This
 function verifies the size of the encrypted introduction isn't less than
 2.  If the type is REND_STEALTH_AUTH, the following is immediately called:

     dec = tor_malloc_zero(ipos_encrypted_size - CIPHER_IV_LEN - 1);

 If the size is less than CIPHER_IV_LEN, this will underflow and the
 allocation attempt on a huge size will trigger an assertion failure.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4410>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs