[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/release-0.4.5] Fix detection of point to insert signatures on a pending consensus.
commit 890ae4fb1adfa13e37aaf5261e089e8c195a75cf
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Wed Mar 3 15:14:31 2021 -0500
Fix detection of point to insert signatures on a pending consensus.
We were looking for the first instance of "directory-signature "
when instead the correct behavior is to look for the first instance
of "directory-signature " at the start of a line.
Unfortunately, this can be exploited as to crash authorities while
they're voting.
Fixes #40316; bugfix on 0.2.2.4-alpha. This is TROVE-2021-002,
also tracked as CVE-2021-28090.
---
changes/bug40316 | 5 +++++
src/feature/dirauth/dirvote.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/changes/bug40316 b/changes/bug40316
new file mode 100644
index 0000000000..cd275b5c9c
--- /dev/null
+++ b/changes/bug40316
@@ -0,0 +1,5 @@
+ o Major bugfixes (security, denial of service):
+ - Fix a bug in appending detached signatures to a pending consensus
+ document that could be used to crash a directory authority.
+ Fixes bug 40316; bugfix on 0.2.2.6-alpha. Tracked as
+ TROVE-2021-002 and CVE-2021-28090.
diff --git a/src/feature/dirauth/dirvote.c b/src/feature/dirauth/dirvote.c
index af8b3dc207..9e01cee42a 100644
--- a/src/feature/dirauth/dirvote.c
+++ b/src/feature/dirauth/dirvote.c
@@ -3520,7 +3520,7 @@ dirvote_add_signatures_to_pending_consensus(
strlen(pc->body) + strlen(new_signatures) + 1;
pc->body = tor_realloc(pc->body, new_consensus_len);
dst_end = pc->body + new_consensus_len;
- dst = strstr(pc->body, "directory-signature ");
+ dst = (char *) find_str_at_start_of_line(pc->body, "directory-signature ");
tor_assert(dst);
strlcpy(dst, new_signatures, dst_end-dst);
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits