[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #4745 [Tor Relay]: Possible flaws in sockaddr validation in connection_handle_listener_read()
#4745: Possible flaws in sockaddr validation in connection_handle_listener_read()
-----------------------+----------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Relay | Version:
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
`connection_handle_listener_read()`:
{{{
...
if (conn->socket_family == AF_INET || conn->socket_family == AF_INET6) {
tor_addr_t addr;
uint16_t port;
if (check_sockaddr(remote, remotelen, LOG_INFO)<0) {
log_info(LD_NET,
"accept() returned a strange address; trying
getsockname().");
remotelen=sizeof(addrbuf);
memset(addrbuf, 0, sizeof(addrbuf));
if (getsockname(news, remote, &remotelen)<0) {
int e = tor_socket_errno(news);
log_warn(LD_NET, "getsockname() for new connection failed: %s",
tor_socket_strerror(e));
} else {
if (check_sockaddr((struct sockaddr*)addrbuf, remotelen,
LOG_WARN) < 0) {
log_warn(LD_NET,"Something's wrong with this conn. Closing
it.");
tor_close_socket(news);
return 0;
}
}
}
...
}}}
If both `check_sockaddr()` '''and''' getsockname()` fail, we continue
with a corrupted '''remote''' (and sockaddr), instead of closing the
socket and returning 0.
I'm not sure if this is a bug, but it feels weird, since if the second
`check_sockaddr() `fails, we close the socket and return 0, which is what
I feel that should happen.
I'm also not sure how someone can make both `check_sockaddr()` '''and'''
getsockname()` fail, and I'm not sure how `remote` would have to look in
this case or what would happen afterwards.
All in all, is the validation here intended to be like this?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4745>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs