[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #6797 [Tor Directory Authority]: dirserv_generate_networkstatus_vote_obj() might dereference NULL

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #6797 [Tor Directory Authority]: dirserv_generate_networkstatus_vote_obj() might dereference NULL
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Mon, 10 Sep 2012 09:10:50 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 10 Sep 2012 05:11:02 -0400
In-reply-to: <043.f44d99cab9adf2bcac3719c6fc7bf3eb@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.f44d99cab9adf2bcac3719c6fc7bf3eb@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#6797: dirserv_generate_networkstatus_vote_obj() might dereference NULL
-------------------------------------+--------------------------------------
 Reporter:  ln5                      |          Owner:  ln5         
     Type:  defect                   |         Status:  needs_review
 Priority:  major                    |      Milestone:              
Component:  Tor Directory Authority  |        Version:              
 Keywords:                           |         Parent:              
   Points:                           |   Actualpoints:              
-------------------------------------+--------------------------------------

Comment(by ln5):

 dirvote_create_microdescriptor() returns NULL if either of

 1. crypto_pk_write_public_key_to_string(ri->onion_pkey, &key, &keylen)
 returns < 0
 2. microdescs_parse_from_string() returns a list with length != 1


 Case 1 happens if either of

 a) BIO_new(BIO_s_mem()) returns != 0
 b) PEM_write_bio_RSAPublicKey(b, env->key) returns != 0

 Case 2 happens if either of

 a) we have produced md text that we cannot parse (tokenize_string() -> !=
 0)
 b) there's more than one (proper) md in the input (no)
 c) bad time in "@last-listed" (no)
 d) invalid exponent in "onion-key" (crypto_pk_public_exponent_ok() -> 0)
 e) illegal nickname in "family" (is_legal_nickname_or_hexdigest() -> 0)


 I can not see how case 1 would be triggered remotely.

 I think that case 2 is possible to trigger if you can get a
 routerinfo_t with an invalid onion-key or nickname into the routerlist
 of a dir auth. That seems tricky though. Routers from "r" lines are
 protected by router_parse_entry_from_string(), using the same
 verification functions as mentioned above.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6797#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #6797 [Tor Directory Authority]: dirserv_generate_networkstatus_vote_obj() might dereference NULL
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #3100 [TorBrowserButton]: Reduce security prefs into a few groups
Next by Author: Re: [tor-bugs] #6677 [Compass]: add a 'total' line at the bottom of the table
Previous by thread: Re: [tor-bugs] #6797 [Tor Directory Authority]: dirserv_generate_networkstatus_vote_obj() might dereference NULL
Next by thread: Re: [tor-bugs] #6797 [Tor Directory Authority]: dirserv_generate_networkstatus_vote_obj() might dereference NULL
Index(es):
- Author
- Thread