[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/main] Add a size argument for the buffer on onion handshake functions
commit 358ce9a19d522d1e1cf9a119850e924ca106fec5
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Tue Sep 14 14:19:22 2021 -0400
Add a size argument for the buffer on onion handshake functions
---
src/core/crypto/onion_crypto.c | 19 ++++++++++++++++---
src/core/crypto/onion_crypto.h | 4 +++-
src/core/mainloop/cpuworker.c | 1 +
src/core/or/circuitbuild.c | 6 ++++--
src/core/or/command.c | 1 +
5 files changed, 25 insertions(+), 6 deletions(-)
diff --git a/src/core/crypto/onion_crypto.c b/src/core/crypto/onion_crypto.c
index f85ee2c82b..66c21bf655 100644
--- a/src/core/crypto/onion_crypto.c
+++ b/src/core/crypto/onion_crypto.c
@@ -103,19 +103,23 @@ onion_handshake_state_release(onion_handshake_state_t *state)
/** Perform the first step of a circuit-creation handshake of type <b>type</b>
* (one of ONION_HANDSHAKE_TYPE_*): generate the initial "onion skin" in
- * <b>onion_skin_out</b>, and store any state information in <b>state_out</b>.
+ * <b>onion_skin_out</b> with length of up to <b>onion_skin_out_maxlen</b>,
+ * and store any state information in <b>state_out</b>.
* Return -1 on failure, and the length of the onionskin on acceptance.
*/
int
onion_skin_create(int type,
const extend_info_t *node,
onion_handshake_state_t *state_out,
- uint8_t *onion_skin_out)
+ uint8_t *onion_skin_out,
+ size_t onion_skin_out_maxlen)
{
int r = -1;
switch (type) {
case ONION_HANDSHAKE_TYPE_TAP:
+ if (onion_skin_out_maxlen < TAP_ONIONSKIN_CHALLENGE_LEN)
+ return -1;
if (!node->onion_key)
return -1;
@@ -133,7 +137,9 @@ onion_skin_create(int type,
r = CREATE_FAST_LEN;
break;
case ONION_HANDSHAKE_TYPE_NTOR:
- if (!extend_info_supports_ntor(node))
+ if (onion_skin_out_maxlen < NTOR_ONIONSKIN_LEN)
+ return -1;
+ if (!extend_info_supports_ntor(node))
return -1;
if (onion_skin_ntor_create((const uint8_t*)node->identity_digest,
&node->curve25519_onion_key,
@@ -175,6 +181,7 @@ onion_skin_server_handshake(int type,
const uint8_t *onion_skin, size_t onionskin_len,
const server_onion_keys_t *keys,
uint8_t *reply_out,
+ size_t reply_out_maxlen,
uint8_t *keys_out, size_t keys_out_len,
uint8_t *rend_nonce_out)
{
@@ -182,6 +189,8 @@ onion_skin_server_handshake(int type,
switch (type) {
case ONION_HANDSHAKE_TYPE_TAP:
+ if (reply_out_maxlen < TAP_ONIONSKIN_REPLY_LEN)
+ return -1;
if (onionskin_len != TAP_ONIONSKIN_CHALLENGE_LEN)
return -1;
if (onion_skin_TAP_server_handshake((const char*)onion_skin,
@@ -193,6 +202,8 @@ onion_skin_server_handshake(int type,
memcpy(rend_nonce_out, reply_out+DH1024_KEY_LEN, DIGEST_LEN);
break;
case ONION_HANDSHAKE_TYPE_FAST:
+ if (reply_out_maxlen < CREATED_FAST_LEN)
+ return -1;
if (onionskin_len != CREATE_FAST_LEN)
return -1;
if (fast_server_handshake(onion_skin, reply_out, keys_out, keys_out_len)<0)
@@ -201,6 +212,8 @@ onion_skin_server_handshake(int type,
memcpy(rend_nonce_out, reply_out+DIGEST_LEN, DIGEST_LEN);
break;
case ONION_HANDSHAKE_TYPE_NTOR:
+ if (reply_out_maxlen < NTOR_REPLY_LEN)
+ return -1;
if (onionskin_len < NTOR_ONIONSKIN_LEN)
return -1;
{
diff --git a/src/core/crypto/onion_crypto.h b/src/core/crypto/onion_crypto.h
index 68cd465cf7..bf25552b83 100644
--- a/src/core/crypto/onion_crypto.h
+++ b/src/core/crypto/onion_crypto.h
@@ -25,11 +25,13 @@ void onion_handshake_state_release(onion_handshake_state_t *state);
int onion_skin_create(int type,
const extend_info_t *node,
onion_handshake_state_t *state_out,
- uint8_t *onion_skin_out);
+ uint8_t *onion_skin_out,
+ size_t onion_skin_out_maxlen);
int onion_skin_server_handshake(int type,
const uint8_t *onion_skin, size_t onionskin_len,
const server_onion_keys_t *keys,
uint8_t *reply_out,
+ size_t reply_out_maxlen,
uint8_t *keys_out, size_t key_out_len,
uint8_t *rend_nonce_out);
int onion_skin_client_handshake(int type,
diff --git a/src/core/mainloop/cpuworker.c b/src/core/mainloop/cpuworker.c
index 17855b8567..b7b09784fa 100644
--- a/src/core/mainloop/cpuworker.c
+++ b/src/core/mainloop/cpuworker.c
@@ -426,6 +426,7 @@ cpuworker_onion_handshake_threadfn(void *state_, void *work_)
cc->onionskin, cc->handshake_len,
onion_keys,
cell_out->reply,
+ sizeof(cell_out->reply),
rpl.keys, CPATH_KEY_MATERIAL_LEN,
rpl.rend_auth_material);
if (n < 0) {
diff --git a/src/core/or/circuitbuild.c b/src/core/or/circuitbuild.c
index 31e3868b65..dc8d888c97 100644
--- a/src/core/or/circuitbuild.c
+++ b/src/core/or/circuitbuild.c
@@ -995,7 +995,8 @@ circuit_send_first_onion_skin(origin_circuit_t *circ)
len = onion_skin_create(cc.handshake_type,
circ->cpath->extend_info,
&circ->cpath->handshake_state,
- cc.onionskin);
+ cc.onionskin,
+ sizeof(cc.onionskin));
if (len < 0) {
log_warn(LD_CIRC,"onion_skin_create (first hop) failed.");
return - END_CIRC_REASON_INTERNAL;
@@ -1142,7 +1143,8 @@ circuit_send_intermediate_onion_skin(origin_circuit_t *circ,
len = onion_skin_create(ec.create_cell.handshake_type,
hop->extend_info,
&hop->handshake_state,
- ec.create_cell.onionskin);
+ ec.create_cell.onionskin,
+ sizeof(ec.create_cell.onionskin));
if (len < 0) {
log_warn(LD_CIRC,"onion_skin_create failed.");
return - END_CIRC_REASON_INTERNAL;
diff --git a/src/core/or/command.c b/src/core/or/command.c
index 40eb1554c0..5fdd8dd135 100644
--- a/src/core/or/command.c
+++ b/src/core/or/command.c
@@ -367,6 +367,7 @@ command_process_create_cell(cell_t *cell, channel_t *chan)
create_cell->handshake_len,
NULL,
created_cell.reply,
+ sizeof(created_cell.reply),
keys, CPATH_KEY_MATERIAL_LEN,
rend_circ_nonce);
tor_free(create_cell);
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits