[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #9925 [Tor]: Directory Authorities can crash client/relay
#9925: Directory Authorities can crash client/relay
--------------------+------------------------------------
Reporter: sysrqb | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version:
Keywords: | Actual Points:
Parent ID: | Points:
--------------------+------------------------------------
A malicious/misbehaving set of directory authorities can cause a client to
fail an assertion if they create a consensus that swaps descriptor digests
between router entries and a client already has the descriptors for those
routers.
in update_consensus_router_descriptor_downloads()
{{{
SMARTLIST_FOREACH_BEGIN(consensus->routerstatus_list, void *, rsp) {
routerstatus_t *rs =
is_vote ? &(((vote_routerstatus_t *)rsp)->status) : rsp;
signed_descriptor_t *sd;
if ((sd = router_get_by_descriptor_digest(rs->descriptor_digest))) {
const routerinfo_t *ri;
++n_have;
if (!(ri = router_get_by_id_digest(rs->identity_digest)) ||
tor_memneq(ri->cache_info.signed_descriptor_digest,
sd->signed_descriptor_digest, DIGEST_LEN)) {
}}}
If rs && sd && ri && the descriptor digests are not equal, then
in routerlist_remove_old()
{{{
tor_assert(0 <= idx && idx < smartlist_len(rl->old_routers));
/* XXXX edmanm's bridge relay triggered the following assert while
* running 0.2.0.12-alpha. If anybody triggers this again, see if we
* can get a backtrace. */
tor_assert(smartlist_get(rl->old_routers, idx) == sd);
}}}
Both assertions are triggerable because sd is assumed to be in
old_routers. If the consensus specifies a valid but wrong descriptor
digest for a router (i.e. they swap two of them), then the client will
compare that new digest to the one it already has in the routerinfo. They
will be different, so the client will assume it already has a new
descriptor and that it previously moved the old descriptor into
rl->old_routers (despite the fact that clients don't cache them and
old_routers is empty). When we try to retrieve the cached descriptor, we
assert.
If we're a relay, then we probably have descriptors in old_routers but not
the one we're looking for. Therefore, these assumption are false, because
we're comparing two different routers, thus resulting in the crash.
Brought to you by your friendly neighborhood cat.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9925>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs