[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor/master] prop224: Fix length check when purging hidserv requests.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [tor/master] prop224: Fix length check when purging hidserv requests.
From: nickm@xxxxxxxxxxxxxx
Date: Mon, 28 Aug 2017 19:49:15 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 28 Aug 2017 15:49:27 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: George Kadianakis <desnacked@xxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit 93a0a4a4221b5c60b3c4fe22d38c81914176dedb
Author: George Kadianakis <desnacked@xxxxxxxxxx>
Date:   Mon Aug 28 16:30:51 2017 +0300

    prop224: Fix length check when purging hidserv requests.
    
    That check was wrong:
    
    a) We should be making sure that the size of `key` is big enough before
       proceeding, since that's the buffer that we would overread with the
       tor_memeq() below.
    
       The old check used to check that `req_key_str` is big enough which is
       not right, since we won't read deep into that buffer.
    
       The new check makes sure that `key` has enough size to survive the
       tor_memeq(), and if not it moves to the next element of the strmap.
    
    b) That check shouldn't be a BUG since that strmap contains
       variable-sized elements and we should not be bugging out if we happen
       to compare a small sized element (v2) to a bigger one (v3).
---
 src/or/hs_common.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/src/or/hs_common.c b/src/or/hs_common.c
index 03dd07f6c..a4b8ba3e8 100644
--- a/src/or/hs_common.c
+++ b/src/or/hs_common.c
@@ -1453,14 +1453,12 @@ hs_purge_hid_serv_from_last_hid_serv_requests(const char *req_key_str)
     /* XXX: The use of REND_DESC_ID_V2_LEN_BASE32 is very wrong in terms of
      * semantic, see #23305. */
 
-    /* Length check on the strings we are about to compare. The "key" contains
-     * both the base32 HSDir identity digest and the requested key at the
+    /* This strmap contains variable-sized elements so this is a basic length
+     * check on the strings we are about to compare. The "key" contains both
+     * the base32 HSDir identity digest and the requested key at the
      * directory. The "req_key_str" can either be a base32 descriptor ID or a
-     * base64 blinded key which should be the second part of "key". BUG on
-     * this check because both strings are internally controlled so this
-     * should never happen. */
-    if (BUG((strlen(req_key_str) + REND_DESC_ID_V2_LEN_BASE32) <
-            strlen(key))) {
+     * base64 blinded key which should be the second part of "key". */
+    if (strlen(key) < REND_DESC_ID_V2_LEN_BASE32 + strlen(req_key_str)) {
       iter = strmap_iter_next(last_hid_serv_requests, iter);
       continue;
     }



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [tor/maint-0.3.0] Merge remote-tracking branch 'public/bug20270_029' into maint-0.3.0
Next by Author: [tor-commits] [tor/maint-0.3.0] Merge remote-tracking branch 'karsten/geoip-jul2017' into maint-0.2.4
Previous by thread: [tor-commits] [tor/master] prop224: Add test that exposes the #23343 bug.
Next by thread: [tor-commits] [tor/master] fixup! prop224: Fix length check when purging hidserv requests.
Index(es):
- Author
- Thread