|
@@ -521,6 +521,11 @@ onion_skin_create(int type,
|
|
|
return r;
|
|
|
}
|
|
|
|
|
|
+/* This is the maximum value for keys_out_len passed to
|
|
|
+ * onion_skin_server_handshake, plus 16. We can make it bigger if needed:
|
|
|
+ * It just defines how many bytes to stack-allocate. */
|
|
|
+#define MAX_KEYS_TMP_LEN 128
|
|
|
+
|
|
|
/** Perform the second (server-side) step of a circuit-creation handshake of
|
|
|
* type <b>type</b>, responding to the client request in <b>onion_skin</b>
|
|
|
* using the keys in <b>keys</b>. On success, write our response into
|
|
@@ -563,7 +568,8 @@ onion_skin_server_handshake(int type,
|
|
|
return -1;
|
|
|
{
|
|
|
size_t keys_tmp_len = keys_out_len + DIGEST_LEN;
|
|
|
- uint8_t keys_tmp[keys_tmp_len];
|
|
|
+ tor_assert(keys_tmp_len <= MAX_KEYS_TMP_LEN);
|
|
|
+ uint8_t keys_tmp[MAX_KEYS_TMP_LEN];
|
|
|
|
|
|
if (onion_skin_ntor_server_handshake(
|
|
|
onion_skin, keys->curve25519_key_map,
|
|
@@ -573,9 +579,10 @@ onion_skin_server_handshake(int type,
|
|
|
/* no need to memwipe here, since the output will never be used */
|
|
|
return -1;
|
|
|
}
|
|
|
+
|
|
|
memcpy(keys_out, keys_tmp, keys_out_len);
|
|
|
memcpy(rend_nonce_out, keys_tmp+keys_out_len, DIGEST_LEN);
|
|
|
- memwipe(keys_tmp, 0, keys_tmp_len);
|
|
|
+ memwipe(keys_tmp, 0, sizeof(keys_tmp));
|
|
|
r = NTOR_REPLY_LEN;
|
|
|
}
|
|
|
break;
|