[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #8062 [Tor]: We try to squeeze a two-byte version into a one-byte link_proto

To: undisclosed-recipients:;
Subject: [tor-bugs] #8062 [Tor]: We try to squeeze a two-byte version into a one-byte link_proto
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sun, 27 Jan 2013 17:31:31 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 27 Jan 2013 12:31:41 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#8062: We try to squeeze a two-byte version into a one-byte link_proto
--------------------+-------------------------------------------------------
 Reporter:  arma    |          Owner:                    
     Type:  defect  |         Status:  new               
 Priority:  normal  |      Milestone:  Tor: 0.2.3.x-final
Component:  Tor     |        Version:                    
 Keywords:          |         Parent:                    
   Points:          |   Actualpoints:                    
--------------------+-------------------------------------------------------
 {{{
   int highest_supported_version = 0;
 ...
     uint16_t v = ntohs(get_uint16(cp));
     if (is_or_protocol_version_known(v) && v > highest_supported_version)
       highest_supported_version = v;
 ...
   chan->conn->link_proto = highest_supported_version;
 }}}

 But
 {{{
   uint8_t link_proto; /**< What protocol version are we using? 0 for
                        * "none negotiated yet." */
 }}}

 So these checks in channel_tls_process_versions_cell():
 {{{
   if (!highest_supported_version) {
 ...
   } else if (highest_supported_version == 1) {
 ...
   } else if (highest_supported_version < 3 &&
              chan->conn->base_.state ==  OR_CONN_STATE_OR_HANDSHAKING_V3)
 {
 ...
   } else if (highest_supported_version != 2 &&
              chan->conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V2) {
 }}}
 can all be bypassed by sending 0x0101 rather than 0x0001, etc.

 Reported by bob from irc. He says there are triggerable asserts, but he
 didn't clarify which one.

 See also #8059 for a nearby bug.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8062>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #8062 [Tor]: We try to squeeze a two-byte version into a one-byte link_proto
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #8062 [Tor]: We try to squeeze a two-byte version into a one-byte link_proto
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #8062 [Tor]: We try to squeeze a two-byte version into a one-byte link_proto
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #4282 [Tor]: Extract common "make private stats dir" code from rephist.c, geoip.c
Next by Author: Re: [tor-bugs] #8062 [Tor]: We try to squeeze a two-byte version into a one-byte link_proto
Previous by thread: Re: [tor-bugs] #4282 [Tor]: Extract common "make private stats dir" code from rephist.c, geoip.c
Next by thread: Re: [tor-bugs] #8062 [Tor]: We try to squeeze a two-byte version into a one-byte link_proto
Index(es):
- Author
- Thread